cbcvebase.
CVE-2023-34096
published 2023-06-08

CVE-2023-34096: Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
62.68%
99.1th percentile
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
snithruk< 3.06.23.06.2
thrukthruk< 3.06.23.06.2

Detection & IOCsextracted from sources · hover to see the quote

urlcgi-bin/panorama.cgi
urlcgi-bin/login.cgi
pathbackgrounds/../../../..{target_folder}
cookiethruk_auth
  • Alert on the `location` parameter in panorama.cgi requests containing dot-dot-slash sequences (`../`) traversing outside the expected `backgrounds/` directory.
  • Detect login attempts to `cgi-bin/login.cgi` using default credentials (thrukadmin/thrukadmin) followed immediately by a POST to `cgi-bin/panorama.cgi` with a traversal payload.
  • Look for the cookie `thruk_message` set to `fail_message~~login%20failed` as an indicator of brute-force or credential-stuffing attempts against the Thruk login endpoint.
  • Flag multipart POST uploads to panorama.cgi where the uploaded filename is `exploit.jpg` and the file content does not match a valid JPEG magic byte signature.
  • ·Exploitation requires a valid authenticated session (thruk_auth cookie); the exploit attempts authentication with default credentials first, so disabling or changing default credentials reduces but does not eliminate risk if other valid credentials exist.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.