cbcvebase.
CVE-2013-1081
published 2013-03-11

CVE-2013-1081: Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute…

PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.08%
99.2th percentile
Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
novellzenworks_mobile_management
novellzenworks_mobile_management

Detection & IOCsextracted from sources · hover to see the quote

path/MDM.php
path/DUSAP.php
path/download.php
commandlanguage=res/languages/../../../../php/temp/sess_<PHPSESSID>
pathres/languages/../../../../php/temp/
  • Detect POST requests to DUSAP.php containing directory traversal sequences in the 'language' GET parameter, specifically patterns traversing into php/temp session files.
  • Look for HTTP requests to DUSAP.php with a 'language' parameter value containing '../../../../' traversal sequences, particularly targeting php/temp/sess_ paths (PHP session file poisoning).
  • Monitor for HEAD requests to /download.php with a PHPSESSID cookie immediately followed by POST requests to DUSAP.php with base64-encoded body data — this is the two-stage session-poisoning upload pattern used by the exploit.
  • Flag HTTP responses from the target containing the string 'ZENworks Mobile Management User Self-Administration Portal' to identify exposed vulnerable instances for prioritized patching/monitoring.
  • Versions matching 2.6.0, 2.6.1, or 2.7.0 are confirmed vulnerable; version fingerprinting via the portal's 'Version' string can identify targets.
  • ·The exploit targets Windows installations only; the traversal path uses Windows-style backslash separators (\..\..\php\temp\) and drops a Windows PE executable payload.
  • ·The exploit uses an empty User-Agent string during the session-setup HEAD request, which can be used as a detection signal.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.