Nagios Input Validation Flaw in 'statuswml.cgi' Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1022503 |
|
SecurityTracker URL: http://securitytracker.com/id/1022503
|
|
CVE Reference:
CVE-2009-2288
(Links to External Site)
|
Date: Jul 3 2009
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 3.1.1
|
Description:
A vulnerability was reported in Nagios. A remote user can execute arbitrary commands on the target system.
A remote user can send specially crafted data to the 'statuswml.cgi' script to execute arbitrary commands on the target system. The code will run with the privileges of the target web service.
A demonstration exploit URL is provided:
https://[target]/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH
Paul reported this vulnerability.
|
Impact:
A remote user can execute arbitrary commands on the target system.
|
Solution:
The vendor has issued a fixed version (3.1.1).
|
Vendor URL: www.nagios.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 2 Jul 2009 23:05:53 -0400
Subject: Nagios
|
http://www.nagios.org/development/history/core-3x/
> # Security fix for statuswml.cgi where arbitrary shell injection was possible
CVE-2009-2288
|
|
