Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34096 PoC — Thruk has Path Traversal Vulnerability in panorama.pm

Source
https://github.com/galoget/Thruk-CVE-2023-34096
Associated Vulnerability
Title:Thruk has Path Traversal Vulnerability in panorama.pm (CVE-2023-34096)
Description:Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
Description
Thruk Monitoring Web Interface <= 3.06 vulnerable to CVE-2023-34096 (Path Traversal).
Readme
# Thruk-CVE-2023-34096
Thruk Monitoring Web Interface versions **<= v3.06** are vulnerable to **CVE-2023-34096 (Path Traversal)**.

The current exploit is made in Python 3 and exploits the vulnerability to upload a PoC file to multiple Thruk's common folders and also some Linux folders.

## CVSS
The CNA GitHub, Inc. assigned a CVSS 3.1 Score of **6.5 (Medium)** to this finding. ([Check NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-34096))

```
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
```

## Vulnerability Summary
- **Assigned CVE:** CVE-2023-34096
- **CVE Author:** Galoget Latorre (@galoget)
- **Severity:** 6.5 Medium
- **Type:** Path Traversal
- **Product:** Thruk Monitoring Web Interface
- **Affected Versions:** All versions <= 3.06
- **Patched Version:** 3.06-2

## Timeline
- 2023-05-25: This vulnerability was identified by Galoget Latorre.
- 2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
- 2023-06-05: CVE-2023-34096 is assigned. 
- 2023-06-06: Maintainer releases a patch with version 3.06-2, see [Thruk's Changelog](https://www.thruk.org/changelog.html#_v3-062).
- 2023-06-08: [GitHub Security Advisory](https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h) is released by maintainer.
- 2023-06-08: Security advisory ([author's blog post](https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html)) is released by Galoget Latorre.
- 2023-06-08: Exploit PoC (this repository) is released by Galoget Latorre.
- 2023-06-09: Exploit PoC is shared by [Exploit Database (Exploit-DB)](https://www.exploit-db.com/exploits/51509).
- 2023-06-09: Exploit PoC is shared by [Packet Storm Security](https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html).

## Credits
This security vulnerability was **identified** and **reported** to the maintainer (Thruk's Developers) by **Galoget Latorre**, **Security Consultant** at **Hackem Cybersecurity Research Group** and **Dreamlab Technologies**.

## References
- CVE Author Blog: [https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html](https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html)
- GitHub Security Advisory: [https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h](https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h)
- Exploit Database (Exploit-DB): [https://www.exploit-db.com/exploits/51509](https://www.exploit-db.com/exploits/51509)
- Packet Storm Security: [https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html](https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html)
- NVD NIST: [https://nvd.nist.gov/vuln/detail/CVE-2023-34096](https://nvd.nist.gov/vuln/detail/CVE-2023-34096)
- MITRE: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096)
- Other Exploits (PoCs) authored by Galoget:
  - Exploit Database (Exploit-DB): [https://www.exploit-db.com/?author=11838](https://www.exploit-db.com/?author=11838)
  - Packet Storm Security: [https://packetstormsecurity.com/files/author/16617/](https://packetstormsecurity.com/files/author/16617/)

### Demo

![CVE-2023-34096 exploit PoC](CVE-2023-34096-exploit-PoC.png "CVE-2023-34096 exploit PoC")

**Note:** In the previous image, you can see that the exploit is showing an error message for the last 3 attempts, this is because in the test environment some folders were non-existent or the Apache user did not have write permissions on those paths. The exploit works correctly and the output was intended to test all possible cases.
File Snapshot

 [4.0K]  /data/pocs/a3740b8148812b3064cb8411a52f3dd2a84770fa
├── [299K]  CVE-2023-34096-exploit-PoC.png
├── [ 12K]  CVE-2023-34096-exploit.py
├── [ 34K]  LICENSE
├── [3.7K]  README.md
├── [  34]  requirements.txt
└── [ 25M]  Thruk-3.06.zip

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →