CVE-2011-4334

HIGH

LabWiki < 1.1 - Authenticated Arbitrary PHP File Upload via .gif Extension

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-4334. PoCs published by muuratsalo.

AI-analyzed exploit summary The document describes multiple vulnerabilities in LabWiki <= 1.1, including a shell upload vulnerability due to improper filetype checks and multiple XSS vulnerabilities. No exploit code is provided, only descriptions and example URLs.

Description

edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by muuratsalo · textwebappsphp

https://www.exploit-db.com/exploits/18100

View Code ZIP pw:eip

The document describes multiple vulnerabilities in LabWiki <= 1.1, including a shell upload vulnerability due to improper filetype checks and multiple XSS vulnerabilities. No exploit code is provided, only descriptions and example URLs.

Classification

Writeup 90%

Attack Type

Xss | Other

Complexity

Trivial

Reliability

Theoretical

Target: LabWiki <= 1.1

No auth needed

Prerequisites: Access to the upload functionality (if restricted) · Ability to craft malicious URLs for XSS

MITRE ATT&CK

T1059.007 - JavaScript T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2011/11/21/16

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/02/08/5

Scores

CVSS v3 8.8

EPSS 0.0584

EPSS Percentile 92.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

labwiki_project/labwiki < 1.1

Published Oct 23, 2017

Tracked Since Feb 18, 2026