Rapid7 Vulnerability & Exploit Database

Icingaweb Directory Traversal in Static Library File Requests

Back to Search

Icingaweb Directory Traversal in Static Library File Requests



Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the targets filesystem via a GET request to /lib/icinga/icinga-php-thirdparty/ as the user running the Icingaweb server, which will typically be the www-data user. This can then be used to retrieve sensitive configuration information from the target such as the configuration of various services, which may reveal sensitive login or configuration information, the /etc/passwd file to get a list of valid usernames for password guessing attacks, or other sensitive files which may exist as part of additional functionality available on the target server. This module was tested against Icingaweb 2.9.5 running on Docker.


  • h00die
  • Jacob Ebben
  • Thomas Chauchefoin


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/scanner/http/icinga_static_library_file_directory_traversal
msf auxiliary(icinga_static_library_file_directory_traversal) > show actions
msf auxiliary(icinga_static_library_file_directory_traversal) > set ACTION < action-name >
msf auxiliary(icinga_static_library_file_directory_traversal) > show options
    ...show and set options...
msf auxiliary(icinga_static_library_file_directory_traversal) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security