cbcvebase.
CVE-2014-5111
published 2014-07-28

CVE-2014-5111: Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1)…

PriorityP341medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
21.24%
97.3th percentile
Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.

Detection & IOCsextracted from sources · hover to see the quote

url/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00
url/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00
url/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00
url/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00
path/maint/modules/endpointcfg/endpointcfg.php
path/maint/modules/repo/repo.php
path/maint/modules/asterisk_info/asterisk_info.php
path/maint/modules/home/index.php
  • Detect LFI exploitation attempts by monitoring HTTP GET requests to trixbox maint module PHP files containing directory traversal sequences (../../../../) in the 'lang' parameter, particularly targeting /etc/passwd with a null byte (%00) terminator.
  • Successful exploitation produces a response body containing Unix /etc/passwd content; match response body against the pattern 'root:.*:0:0:' to confirm file read.
  • The null byte (%00) appended to the traversal payload is used to truncate the file extension appended by the application; monitor for URL-encoded null bytes in query string parameters on these endpoints.
  • ·The null byte truncation technique (%00) requires that the PHP installation has not disabled null byte handling; this attack vector is only effective on PHP versions prior to 5.3.4 where null byte poisoning in file paths was fixed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.