Published: 13/12/2013 Updated: 04/06/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 566
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote malicious users to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

synacor zimbra collaboration suite 6.0.0

synacor zimbra collaboration suite 6.0.1

synacor zimbra collaboration suite 6.0.2

synacor zimbra collaboration suite 6.0.3

synacor zimbra collaboration suite 6.0.4

synacor zimbra collaboration suite 6.0.5

synacor zimbra collaboration suite 6.0.6

synacor zimbra collaboration suite 6.0.7

synacor zimbra collaboration suite 6.0.8

synacor zimbra collaboration suite 6.0.9

synacor zimbra collaboration suite 6.0.10

synacor zimbra collaboration suite 6.0.12

synacor zimbra collaboration suite 6.0.13

synacor zimbra collaboration suite 6.0.14

synacor zimbra collaboration suite 6.0.15

synacor zimbra collaboration suite 6.0.16


# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI # Date: 06 Dec 2013 # Exploit Author: rubina119 # Contact Email : rubina119[at]gmailcom # Vendor Homepage: wwwzimbracom/ # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected, # Tested on: Centos(x), Ubuntu # CVE : No CVE, no patch just 0Day # State : Cr ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper include REXML ...

Nmap Scripts


An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

nmap -sV --script http-vuln-cve2013-7091 <target>
nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target>

PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-cve2013-7091: | VULNERABLE: | Zimbra Local File Inclusion and Disclosure of Credentials | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2013-7091 | Description: | An 0 day was released on the 6th December 2013 by rubina119. | The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc. | Using this script, we can detect if the file is present. | If the file is present, we assume that the host might be vulnerable. | | In future version, we'll extract credentials from the file but it's not implemented yet and | the detection will be accurate. | | TODO: | Add the possibility to read compressed file (because we're only looking if it exists) | Then, send some payload to create the new mail account | Disclosure date: 2013-12-06 | Extra information: | Proof of Concept:/index.php?-s | References: |_ http://www.exploit-db.com/exploits/30085/

Metasploit Modules

Zimbra Collaboration Server LFI

This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an authentication token for the admin web interface. This access can be used to achieve remote code execution. This module has been tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.

msf > use exploit/unix/webapp/zimbra_lfi
      msf exploit(zimbra_lfi) > show targets
      msf exploit(zimbra_lfi) > set TARGET <target-id>
      msf exploit(zimbra_lfi) > show options
            ...show and set options...
      msf exploit(zimbra_lfi) > exploit

Github Repositories


红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备


红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Recent Articles

Comcast resets 200k cleartext passwords, hacker claims breach
The Register • Darren Pauli • 11 Nov 2015

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco's then-vulnerable mailserver.
The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace.
Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate.
It told the Chicago Tribune the data was probably obtained through phishing, malware...