cbcvebase.
CVE-2008-6668
published 2009-04-08

CVE-2008-6668: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id…

PriorityP268medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.35%
96.4th percentile
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
dirk_bartleynweb2fax<= 0.2.7
dirk_bartleynweb2fax

Detection & IOCsextracted from sources · hover to see the quote

url/comm.php?id=../../../../../../../../../../etc/passwd
url/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
url/viewrq.php?format=tif&var_filename=;id%3E/tmp/id.txt;chmod%20777%20/tmp/id.txt;
url/viewrq.php?format=pdf&var_filename=;id%3E/tmp/id2.txt;chmod%20777%20/tmp/id2.txt;id
path/tmp/id.txt
path/tmp/id2.txt
  • Detect LFI attempts against comm.php by monitoring GET requests where the 'id' parameter contains directory traversal sequences (../).
  • Detect RCE attempts via viewrq.php by monitoring for shell metacharacters (semicolons, encoded characters like %3E) injected into the var_filename parameter when format=tif or format=pdf.
  • Alert on HTTP 200 responses from comm.php or viewrq.php whose body matches the pattern 'root:.*:0:0:' indicating successful /etc/passwd exfiltration.
  • The viewrq.php RCE vector passes unsanitized var_filename directly into exec() calls for tiff2ps and ghostscript; monitor process trees spawned by the web server involving these programs with unexpected arguments.
  • ·The traversal depth used in PoC payloads is 10 levels deep (../../../../../../../../../../../../); detection rules should account for variable traversal depths, not just this specific depth.
  • ·The arbitrary file download via viewrq.php (format=ps) sends the file as an attachment with Content-Type application/postscript; network-level detection should inspect the response disposition header as well as the request.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.