CVE-2011-4075

EXPLOITED IN THE WILD

phpLDAPadmin < 1.2.2 - Remote Code Execution via Orderby Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2011-4075 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Metasploit, EgiX, including a Metasploit module exploits/multi/http/phpldapadmin_query_engine.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in phpLDAPadmin <= 1.2.1.1 via the query_engine parameter, allowing remote code execution by leveraging the create_function() call with user-controlled input.

Description

The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/18031

This Metasploit module exploits a PHP code injection vulnerability in phpLDAPadmin <= 1.2.1.1 via the query_engine parameter, allowing remote code execution by leveraging the create_function() call with user-controlled input.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpLDAPadmin <= 1.2.1.1
No auth needed
Prerequisites: Network access to the target application · phpLDAPadmin installation with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by EgiX · phpwebappsphp
https://www.exploit-db.com/exploits/18021

This exploit demonstrates a remote PHP code injection vulnerability in phpLDAPadmin <= 1.2.1.1 by injecting arbitrary PHP code via the 'orderby' parameter in the 'query_engine' command, leveraging unsafe use of create_function().

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpLDAPadmin <= 1.2.1.1
No auth needed
Prerequisites: Network access to the target · phpLDAPadmin installation with vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phpldapadmin_query_engine.rb

This Metasploit module exploits a PHP code injection vulnerability in phpLDAPadmin versions 1.2.1.1 and earlier by leveraging the `create_function()` call in `lib/functions.php`. It injects malicious PHP code via the `query_engine` parameter, allowing remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpLDAPadmin <= 1.2.1.1
No auth needed
Prerequisites: Network access to the target · phpLDAPadmin installation with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/76594
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/50331
Exploit, Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/10/25/2
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18021/
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46672
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46551
Exploit, Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/10/24/9
Third Party Advisory x_refsource_confirm
http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2333

Scores

EPSS 0.8440
EPSS Percentile 99.3%

Details

VulnCheck KEV 2011-11-02
InTheWild.io 2020-11-09
CWE
CWE-94
Status published
Products (8)
phpldapadmin_project/phpldapadmin 1.2.0
phpldapadmin_project/phpldapadmin 1.2.0.1
phpldapadmin_project/phpldapadmin 1.2.0.2
phpldapadmin_project/phpldapadmin 1.2.0.3
phpldapadmin_project/phpldapadmin 1.2.0.4
phpldapadmin_project/phpldapadmin 1.2.0.5
phpldapadmin_project/phpldapadmin 1.2.1
phpldapadmin_project/phpldapadmin 1.2.1.1
Published Nov 02, 2011
Tracked Since Feb 18, 2026