This exploit demonstrates a Local File Inclusion (LFI) vulnerability in tcPbX VoIP distro via the unsanitized 'tcpbx_lang' parameter in the index.php file. The PoC shows how an attacker can read arbitrary files (e.g., /etc/passwd) by manipulating the cookie parameter.
Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:tcPbX VoIP distro (based on Asterisk and CentOS)
No auth needed
Prerequisites:Network access to the vulnerable tcPbX web interface