Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2013-7091

Published: 13/12/2013 Updated: 04/06/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 525
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Zimbra Collaboration Suite

Vulnerability Summary

Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote malicious users to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Vulnerable Product Search on Vulmon Subscribe to Product

synacor zimbra collaboration suite 6.0.0

synacor zimbra collaboration suite 6.0.2

synacor zimbra collaboration suite 6.0.3

synacor zimbra collaboration suite 6.0.1

synacor zimbra collaboration suite 6.0.10

synacor zimbra collaboration suite 6.0.12

synacor zimbra collaboration suite 6.0.4

synacor zimbra collaboration suite 6.0.5

synacor zimbra collaboration suite 6.0.13

synacor zimbra collaboration suite 6.0.14

synacor zimbra collaboration suite 6.0.6

synacor zimbra collaboration suite 6.0.7

synacor zimbra collaboration suite 6.0.15

synacor zimbra collaboration suite 6.0.16

synacor zimbra collaboration suite 6.0.8

synacor zimbra collaboration suite 6.0.9

Exploits

Exploit DB: Zimbra 2009-2013 - Local File Inclusion
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI # Date: 06 Dec 2013 # Exploit Author: rubina119 # Contact Email : rubina119[at]gmailcom # Vendor Homepage: wwwzimbracom/ # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected, # Tested on: Centos(x), Ubuntu # CVE : No CVE, no patch just 0Day # State : Cr ...
Exploit DB: Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper include REXML ...

Nmap Scripts

http-vuln-cve2013-7091

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

nmap -sV --script http-vuln-cve2013-7091 <target>
nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target>

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-7091:
|   VULNERABLE:
|   Zimbra Local File Inclusion and Disclosure of Credentials
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2013-7091
|     Description:
|       An 0 day was released on the 6th December 2013 by rubina119.
|       The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc.
|       Using this script, we can detect if the file is present.
|       If the file is present, we assume that the host might be vulnerable.
|
|       In future version, we'll extract credentials from the file but it's not implemented yet and
|       the detection will be accurate.
|
|       TODO:
|       Add the possibility to read compressed file (because we're only looking if it exists)
|       Then, send some payload to create the new mail account
|     Disclosure date: 2013-12-06
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|_      http://www.exploit-db.com/exploits/30085/

Github Repositories

https://github.com/fnmsd/zimbra_poc

Zimbra XXE+SSRF+UPLOAD Poc

Zimbra POC 用法 需要自己在源代码中修改dtd_url为如下内容的dtd地址: &lt;!ENTITY % file SYSTEM "file:/conf/localconfigxml"&gt; &lt;!ENTITY % start "&lt;![CDATA["&gt; &lt;!ENTITY % end "]]&gt;"&gt; &lt;!ENTITY % all "&lt;!ENTITY fileContents '%start;%file;%end;'&gt;&

Recent Articles

Comcast resets 200k cleartext passwords, hacker claims breach
The Register • Darren Pauli • 11 Nov 2015

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco's then-vulnerable mailserver. The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace. Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate. It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a...

Read more...

References

CWE-22http://osvdb.org/100747http://www.exploit-db.com/exploits/30085http://packetstormsecurity.com/files/124321http://www.exploit-db.com/exploits/30472https://exchange.xforce.ibmcloud.com/vulnerabilities/89527http://www.securityfocus.com/bid/64149https://nvd.nist.govhttps://github.com/fnmsd/zimbra_pochttps://www.exploit-db.com/exploits/30085/
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook