CVE-2013-7091
published 2013-12-13CVE-2013-7091: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote…
PriorityP275medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.20%
99.7th percentile
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| zimbra | collaboration_server | <= 7.2.5 | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
| zimbra | collaboration_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00↗
url/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00↗
- →Detect LFI attempts by monitoring HTTP GET requests to the Zimbra resource endpoint containing directory traversal sequences ('..') in the 'skin' parameter, especially with a null-byte (%00) terminator. ↗
- →Alert on HTTP responses from the Zimbra resource endpoint containing Zimbra LDAP credential field names, indicating successful file disclosure. ↗
- →Monitor for POST requests to /service/admin/soap with SOAPAction header 'urn:zimbraAdmin#AuthRequest', which indicates post-exploitation use of stolen LDAP credentials to obtain an admin auth token. ↗
- →Monitor for file uploads to /service/extension/clientUploader/upload authenticated with ZM_ADMIN_AUTH_TOKEN cookie, which is the post-exploitation RCE vector. ↗
- →Use Shodan/FOFA queries to identify exposed Zimbra instances as attack surface: http.title:"zimbra collaboration suite" or http.title:"zimbra web client sign in". ↗
- →The traversal query uses a fixed version parameter value 'v=091214175450'; this static value in requests to the .js.zgz endpoint can serve as a signature for exploit tool detection. ↗
- ·The LFI null-byte termination (%00) technique requires the server to be running a PHP version or Zimbra build vulnerable to null-byte injection; patched or newer runtimes may not be susceptible. ↗
- ·The Metasploit module defaults to SSL (HTTPS) and port 7071 for the zimbraAdmin interface; detection rules targeting plain HTTP on port 80 may miss exploitation attempts against the admin console. ↗
- ·The traversal depth is configurable (default 9 levels); detection patterns should account for variable numbers of '../' sequences rather than matching a fixed depth. ↗
- ·The Zimbra installation path is configurable in the exploit (default /opt/zimbra); defenders should also watch for traversal targeting non-default installation paths. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cx3x-82j4-jc5x: Unspecified vulnerability in Zimbra Collaboration Server 7
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2013-7217 [MEDIUM] GHSA-cx3x-82j4-jc5x: Unspecified vulnerability in Zimbra Collaboration Server 7
Unspecified vulnerability in Zimbra Collaboration Server 7.2.5 and earlier, and 8.0.x through 8.0.5, has "critical" impact and unspecified vectors, a different vulnerability than CVE-2013-7091.
GHSA
GHSA-8gxg-qhg3-qf9x: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg
ghsa_unreviewed·2022-05-13
CVE-2013-7091 [MEDIUM] CWE-22 GHSA-8gxg-qhg3-qf9x: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2013·CVSS 5.0
CVE-2013-7091 [MEDIUM] Synacor Zimbra Collaboration Suite (ZCS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Synacor Zimbra Collaboration Suite (ZCS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13
No detection rules found.
Exploit-DB
Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)
exploitdb·2013-12-24
CVE-2013-7091 Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)
Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 'Zimbra Collaboration Server LFI',
'Description' => %q{
This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability
allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen
credentials allow the attacker to make requests to the service/admin/soap API. This can
then be used to create an authentication token for the admin web interface. This access
can be used to achieve remote code execution. This module has been tested on Zimbra
Collaboration Server 8.0
Exploit-DB
Zimbra 2009-2013 - Local File Inclusion
exploitdb·2013-12-06
CVE-2013-7091 Zimbra 2009-2013 - Local File Inclusion
Zimbra 2009-2013 - Local File Inclusion
---
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30085.zip (zimbraexploit_rubina119.zip)
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allo
Metasploit
Zimbra Collaboration Server LFI
metasploit
Zimbra Collaboration Server LFI
Zimbra Collaboration Server LFI
This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an authentication token for the admin web interface. This access can be used to achieve remote code execution. This module has been tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.
Nuclei
Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
nuclei·CVSS 5.0
CVE-2013-7091 [MEDIUM] Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Template:
id: CVE-2013-7091
info:
name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
author: rubina119
severity: medium
description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. Th
http://osvdb.org/100747http://packetstormsecurity.com/files/124321http://www.exploit-db.com/exploits/30085http://www.exploit-db.com/exploits/30472http://www.securityfocus.com/bid/64149https://exchange.xforce.ibmcloud.com/vulnerabilities/89527http://osvdb.org/100747http://packetstormsecurity.com/files/124321http://www.exploit-db.com/exploits/30085http://www.exploit-db.com/exploits/30472http://www.securityfocus.com/bid/64149https://exchange.xforce.ibmcloud.com/vulnerabilities/89527
2013-12-13
Published
Exploited in the wild