Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-vuln-cve2013-7091

Script types: portrule
Categories: exploit, vuln, intrusive
Download: http://nmap.org/svn/scripts/http-vuln-cve2013-7091.nse

User Summary

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

The vulnerability is a local file inclusion that can retrieve any file from the server.

Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability.

TODO: Add the possibility to read compressed file. Then, send some payload to create the new mail account.

Script Arguments

http-vuln-cve2013-7091.uri

URI. Default: /zimbra

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script http-vuln-cve2013-7091 <target>
nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-7091:
|   VULNERABLE:
|   Zimbra Local File Inclusion and Disclosure of Credentials
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2013-7091
|     Description:
|       An 0 day was released on the 6th December 2013 by rubina119.
|       The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc.
|       Using this script, we can detect if the file is present.
|       If the file is present, we assume that the host might be vulnerable.
|
|       In future version, we'll extract credentials from the file but it's not implemented yet and
|       the detection will be accurate.
|
|       TODO:
|       Add the possibility to read compressed file (because we're only looking if it exists)
|       Then, send some payload to create the new mail account
|     Disclosure date: 2013-12-06
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|_      http://www.exploit-db.com/exploits/30085/

Requires


Author: Paul AMAR <aos.paul@gmail.com>, Ron Bowes

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]