CVE-2020-8500

DISPUTED In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality.

Recent assessments:

J3rryBl4nks at March 03, 2020 7:47pm UTC reported:

Due to the fact that files that are uploaded are able to be browsed to, this exploit means that an authenticated administrator could upload a reverse shell payload and get the connection back easily.

Many vendors will dismiss this type of vulnerability as not easily exploitable or within the bounds of what the program allows. I believe that it should never be possible for a web application to allow code execution to the underlying host unless that is core functionality of the software.

This same type of vulnerability seems to be present in a large number of monitoring software packages until they get egg on their face and patch it.

The Pandora FMS website lists a good target base that would allow you to start trying to compromise admin creds and get the file upload to hopefully get a foothold.

I would place this as valuable to attackers, but more difficult to exploit due to the fact that you have to be an authenticated admin user.

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5