cbcvebase.
CVE-2013-7091
published 2013-12-13

CVE-2013-7091: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote…

PriorityP275medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.20%
99.7th percentile
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
zimbracollaboration_server<= 7.2.5
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server
zimbracollaboration_server

Detection & IOCsextracted from sources · hover to see the quote

path/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
url/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
url/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00
path/opt/zimbra/conf/localconfig.xml
path/service/admin/soap
path/zimbraAdmin/
port7071
cookieZM_ADMIN_AUTH_TOKEN
  • Detect LFI attempts by monitoring HTTP GET requests to the Zimbra resource endpoint containing directory traversal sequences ('..') in the 'skin' parameter, especially with a null-byte (%00) terminator.
  • Alert on HTTP responses from the Zimbra resource endpoint containing Zimbra LDAP credential field names, indicating successful file disclosure.
  • Monitor for POST requests to /service/admin/soap with SOAPAction header 'urn:zimbraAdmin#AuthRequest', which indicates post-exploitation use of stolen LDAP credentials to obtain an admin auth token.
  • Monitor for file uploads to /service/extension/clientUploader/upload authenticated with ZM_ADMIN_AUTH_TOKEN cookie, which is the post-exploitation RCE vector.
  • Use Shodan/FOFA queries to identify exposed Zimbra instances as attack surface: http.title:"zimbra collaboration suite" or http.title:"zimbra web client sign in".
  • The traversal query uses a fixed version parameter value 'v=091214175450'; this static value in requests to the .js.zgz endpoint can serve as a signature for exploit tool detection.
  • ·The LFI null-byte termination (%00) technique requires the server to be running a PHP version or Zimbra build vulnerable to null-byte injection; patched or newer runtimes may not be susceptible.
  • ·The Metasploit module defaults to SSL (HTTPS) and port 7071 for the zimbraAdmin interface; detection rules targeting plain HTTP on port 80 may miss exploitation attempts against the admin console.
  • ·The traversal depth is configurable (default 9 levels); detection patterns should account for variable numbers of '../' sequences rather than matching a fixed depth.
  • ·The Zimbra installation path is configurable in the exploit (default /opt/zimbra); defenders should also watch for traversal targeting non-default installation paths.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.