CVE-2008-6668
published 2009-04-08CVE-2008-6668: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id…
PriorityP268medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.35%
96.4th percentile
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dirk_bartley | nweb2fax | <= 0.2.7 | — |
| dirk_bartley | nweb2fax | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect LFI attempts against comm.php by monitoring GET requests where the 'id' parameter contains directory traversal sequences (../). ↗
- →Detect RCE attempts via viewrq.php by monitoring for shell metacharacters (semicolons, encoded characters like %3E) injected into the var_filename parameter when format=tif or format=pdf. ↗
- →Alert on HTTP 200 responses from comm.php or viewrq.php whose body matches the pattern 'root:.*:0:0:' indicating successful /etc/passwd exfiltration. ↗
- →The viewrq.php RCE vector passes unsanitized var_filename directly into exec() calls for tiff2ps and ghostscript; monitor process trees spawned by the web server involving these programs with unexpected arguments. ↗
- ·The traversal depth used in PoC payloads is 10 levels deep (../../../../../../../../../../../../); detection rules should account for variable traversal depths, not just this specific depth. ↗
- ·The arbitrary file download via viewrq.php (format=ps) sends the file as an attachment with Content-Type application/postscript; network-level detection should inspect the response disposition header as well as the request. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfjr-rc4g-gj9c: Multiple directory traversal vulnerabilities in nweb2fax 0
ghsa_unreviewed·2022-05-17
CVE-2008-6668 [MEDIUM] CWE-22 GHSA-cfjr-rc4g-gj9c: Multiple directory traversal vulnerabilities in nweb2fax 0
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.
VulnCheck
dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2008·CVSS 5.0
CVE-2008-6668 [MEDIUM] dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.
Affected: dirk_bartley nweb2fax
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-20
No detection rules found.
Exploit-DB
nweb2fax 0.2.7 - Multiple Vulnerabilities
exploitdb·2008-06-18
CVE-2008-6669 nweb2fax 0.2.7 - Multiple Vulnerabilities
nweb2fax 0.2.7 - Multiple Vulnerabilities
---
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ dun[at]strcpy.pl ]
##################################################################
# [ nweb2fax $line";
# }
# }
# ...
#
#
# [ Arbitrary File Download Vulnerability ]:
#
*** /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
#
# Bug:
#
# ...
# $var_filename=$_GET['var_filename'];
# $var_format=$_GET['format'];
# ...
# if( $var_format == "ps" ) {
# $filename = "$DIR_SPOOL/$var_filename";
# header("Content-Type: application/postscript");
# header('Content-Disposition: attachment;
filename="downloaded.ps"');
# readfile("$filename");
# ...
#
#
Nuclei
nweb2fax <=0.2.7 - Local File Inclusion
nuclei·CVSS 5.0
CVE-2008-6668 [MEDIUM] nweb2fax <=0.2.7 - Local File Inclusion
nweb2fax <=0.2.7 - Local File Inclusion
nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via the id parameter submitted to comm.php and the var_filename parameter submitted to viewrq.php.
Template:
id: CVE-2008-6668
info:
name: nweb2fax <=0.2.7 - Local File Inclusion
author: geeknik
severity: medium
description: nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via the id parameter submitted to comm.php and the var_filename parameter submitted to viewrq.php.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.
remediation: |
Upgrade to a patched version of nweb2fax or apply the necessary security patches prov
http://www.securityfocus.com/bid/29804https://exchange.xforce.ibmcloud.com/vulnerabilities/43172https://exchange.xforce.ibmcloud.com/vulnerabilities/43173https://www.exploit-db.com/exploits/5856http://www.securityfocus.com/bid/29804https://exchange.xforce.ibmcloud.com/vulnerabilities/43172https://exchange.xforce.ibmcloud.com/vulnerabilities/43173https://www.exploit-db.com/exploits/5856
2009-04-08
Published
Exploited in the wild