CVE-2009-4140

EXPLOITED

Open Flash Chart v2 Beta 1-v2 Lug Wyrm Charmer - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-4140 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including iskorpitx, Braeden Thomas, including a Metasploit module exploits/unix/webapp/openemr_upload_exec.

AI-analyzed exploit summary This exploit targets a remote code injection vulnerability in Joomla's com_civicrm component (CVE-2011-4275). It uploads a malicious PHP file via the ofc_upload_image.php script, which then executes arbitrary commands to fetch and deploy a shell.

Description

Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.

Exploits (8)

exploitdb WORKING POC VERIFIED
by iskorpitx · textwebappsphp
https://www.exploit-db.com/exploits/24969

This exploit targets a remote code injection vulnerability in Joomla's com_civicrm component (CVE-2011-4275). It uploads a malicious PHP file via the ofc_upload_image.php script, which then executes arbitrary commands to fetch and deploy a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Joomla with CiviCRM component 4.2.2
No auth needed
Prerequisites: Target must have the vulnerable CiviCRM component installed · The tmp-upload-images directory must be writable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/29091

This exploit demonstrates a remote code execution (RCE) vulnerability in ZonPHP v2.25 by uploading a malicious PHP file via the 'ofc_upload_image.php' endpoint. The script uses cURL to send a POST request with a PHP payload, which is then accessible on the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZonPHP v2.25
No auth needed
Prerequisites: Target server running ZonPHP v2.25 · Network access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/10532

The exploit demonstrates a remote code execution vulnerability in Open Flash Chart due to improper input sanitization. The provided URI example shows how arbitrary PHP code can be executed via the 'name' and 'HTTP_RAW_POST_DATA' parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Open Flash Chart 2 Beta 1, Open Flash Chart 2, Piwik (multiple versions), Open Web Analytics 1.2.0
No auth needed
Prerequisites: Access to the vulnerable endpoint (ofc_upload_image.php)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
phpwebappsphp
https://www.exploit-db.com/exploits/24492

This PHP script exploits an arbitrary file upload vulnerability in OpenEMR 4.1.1 by uploading a malicious PHP script with multiple extensions via the 'name' parameter in '/library/openflashchart/php-ofc-library/ofc_upload_image.php'. It establishes a reverse shell connection to the attacker's machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR 4.1.1
No auth needed
Prerequisites: Network access to the target server · PHP and fsockopen enabled on the attacker's machine
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremotephp
https://www.exploit-db.com/exploits/24529

This Metasploit module exploits an unauthenticated file upload vulnerability in OpenEMR 4.1.1 via the `ofc_upload_image.php` script, allowing arbitrary PHP code execution. It uploads a malicious PHP payload to the `tmp-upload-images` directory and executes it.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.1
No auth needed
Prerequisites: Network access to the OpenEMR web interface · OpenEMR 4.1.1 or earlier with the vulnerable `openflashchart` library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremotephp
https://www.exploit-db.com/exploits/29210

This Metasploit module exploits an arbitrary file upload vulnerability in Open Flash Chart v2 via the 'ofc_upload_image.php' script, allowing attackers to upload and execute malicious PHP files. The exploit leverages a lack of file extension validation and improper path handling to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Open Flash Chart v2 (and integrated applications like Piwik, OpenEMR, zonPHP)
No auth needed
Prerequisites: Network access to the target web server · The 'ofc_upload_image.php' script must be accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/openemr_upload_exec.rb

This Metasploit module exploits an unauthenticated file upload vulnerability in OpenEMR 4.1.1 via the `ofc_upload_image.php` script, allowing arbitrary PHP code execution. It uploads a malicious PHP payload to the `tmp-upload-images` directory and triggers execution via HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.1
No auth needed
Prerequisites: Network access to the target OpenEMR instance · Vulnerable `ofc_upload_image.php` endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Braeden Thomas · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb

This Metasploit module exploits a file upload vulnerability in Open Flash Chart v2 via the 'ofc_upload_image.php' script, allowing arbitrary PHP file upload and execution. The exploit uploads a malicious PHP payload and triggers its execution by accessing the uploaded file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Open Flash Chart v2 (and integrated applications like Piwik, OpenEMR, zonPHP)
No auth needed
Prerequisites: Network access to the target · Presence of vulnerable 'ofc_upload_image.php' script
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37314
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/59051
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/123494/wpslimstatex-exec.txt
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/12/14/3
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/12/14/1
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53825
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/55160
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37078
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24969
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/55162
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2966
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/123493/wpseowatcher-exec.txt
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37911

Scores

EPSS 0.9109
EPSS Percentile 99.7%

Details

VulnCheck KEV 2014-05-06
Status published
Products (4)
matomo/matomo 0.2.37
matomo/matomo 0.4.2
matomo/matomo 0.4.3
teethgrinder.co.uk/open_flash_chart 2.0 beta_1 (8 CPE variants)
Published Dec 22, 2009
Tracked Since Feb 18, 2026