cbcvebase.
CVE-2012-4031
published 2012-07-17

CVE-2012-4031: Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .…

PriorityP347medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
52.27%
98.8th percentile
Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port 85.

Detection & IOCsextracted from sources · hover to see the quote

path/src/acloglogin.php
cookielang=owned../../../../../../../../../..{FILEPATH}/....
cookiePHPSESSID=af0402062689e5218a8bdad17d03f559
path/etc/shadow
command../../../../../../../../../..
  • Detect directory traversal attempts targeting /src/acloglogin.php on port 85, specifically looking for dot-dot sequences in the 'lang' or 'langid' cookie values.
  • Alert on HTTP requests to port 85 with Cookie headers containing '../' traversal sequences in the 'lang' or 'langid' cookie fields, especially with long '/.' padding sequences (e.g., '/.' repeated 4043 times).
  • The Apache server on the affected device runs as root; successful exploitation may be evidenced by retrieval of /etc/shadow or /etc/passwd contents in HTTP 200 responses on port 85.
  • Presence of the hardcoded PHPSESSID value 'af0402062689e5218a8bdad17d03f559' in a Cookie header on port 85 is a strong indicator of Metasploit-based exploitation of this CVE.
  • ·The traversal depth is configurable in the Metasploit module; the default is 11 levels deep ('../../../../../../../../..'), but attackers may vary this value, so detection should use a pattern match rather than a fixed string.
  • ·The target file path is also configurable (default /etc/shadow), meaning the traversal cookie payload will vary depending on the attacker's chosen target file.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.