cbcvebase.
CVE-2017-14537
published 2018-02-16

CVE-2017-14537: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.

PriorityP356medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
39.49%
98.4th percentile
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
netfortristrixbox

Detection & IOCsextracted from sources · hover to see the quote

url/maint/index.php?packages
url/maint/modules/home/index.php
commandxajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages
url/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english
  • Detect POST requests to /maint/index.php?packages containing path traversal sequences in the xajaxargs[] parameter (e.g., ..%2f sequences targeting /etc/passwd).
  • Detect GET requests to /maint/modules/home/index.php with a lang parameter containing path traversal sequences and a null-byte (%00) followed by 'english' to bypass extension checks.
  • Alert on HTTP responses containing 'root:.*:0:0:' pattern in the body, indicating successful /etc/passwd file read via path traversal.
  • Flag use of hardcoded Basic Auth credential 'bWFpbnQ6cGFzc3dvcmQ=' (base64 for maint:password) in Authorization headers targeting Trixbox /maint/ endpoints.
  • ·The null-byte (%00) truncation technique used in the lang parameter traversal (appending %00english) is only effective on PHP installations where null-byte handling in file path functions is not patched — typically PHP < 5.3.4.
  • ·The exploit targets the /maint/ interface which requires authentication (Basic Auth with maint:password); detections should account for authenticated sessions, not just anonymous traffic.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.