PmWiki pagelist.php Remote PHP Code Injection Exploit

Rocco Calvi

November 9, 2011

CVE: CVE-2011-4453
Affected Vendor: PmWiki
Affected Product: PmWiki
Exploit Type: Metasploit Module
Metasploit Module: exploit/multi/http/pmwiki_pagelist

Description

This module exploits an arbitrary command execution vulnerability in PmWiki versions 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php, allowing remote PHP code injection and execution.

References

Rapid7 Module