cbcvebase.
CVE-2008-6825
published 2009-06-05

CVE-2008-6825: Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via…

PriorityP348medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
20.27%
97.1th percentile
Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
trixboxtrixbox<= 2.6.1
trixboxtrixbox
trixboxtrixbox

Detection & IOCsextracted from sources · hover to see the quote

url/user/index.php
path../../../../../../../../../../tmp/sess_!SESSIONID!%00
commandlangChoice=../../../../../../../../../../tmp/sess_<SESSIONID>%00
cookiePHPSESSID
path/tmp/sess_<SESSIONID>
commandlangChoice=%260 2>%260");?>
  • Detect POST requests to /user/index.php containing directory traversal sequences (../../) in the langChoice parameter, especially targeting /tmp/sess_ paths with a null byte (%00) terminator.
  • Two-stage attack pattern: first POST injects PHP payload into langChoice (session file poisoning), second POST traverses to /tmp/sess_<id>%00 to trigger execution. Alert on sequential POSTs to /user/index.php where the second request contains a /tmp/sess_ path traversal.
  • Look for null byte (%00) in the langChoice POST parameter, used to truncate the file path and bypass extension checks.
  • Detect PHP code injection patterns in the langChoice POST body, such as opening PHP tags or exec/shell function calls embedded in the parameter value.
  • Fingerprint vulnerable trixbox instances by checking HTTP response body for the pattern: v2.6.1 ©2008 Fonality
  • ·The maximum usable payload space is constrained by Apache's LimitRequestFieldSize header limit (8190 bytes minus 23 bytes buffer), limiting shellcode size in the injection phase.
  • ·The sudo-based root shell escalation path works only on more recent trixbox versions; older versions may only yield an asterisk-uid shell.
  • ·After exploitation, the injected PHP payload is left in /tmp/ and must be cleaned up manually; the Metasploit module does not perform automatic cleanup.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.