DISPUTED In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality.
Recent assessments:
J3rryBl4nks at March 03, 2020 7:47pm UTC reported:
Due to the fact that files that are uploaded are able to be browsed to, this exploit means that an authenticated administrator could upload a reverse shell payload and get the connection back easily.
Many vendors will dismiss this type of vulnerability as not easily exploitable or within the bounds of what the program allows. I believe that it should never be possible for a web application to allow code execution to the underlying host unless that is core functionality of the software.
This same type of vulnerability seems to be present in a large number of monitoring software packages until they get egg on their face and patch it.
The Pandora FMS website lists a good target base that would allow you to start trying to compromise admin creds and get the file upload to hopefully get a foothold.
I would place this as valuable to attackers, but more difficult to exploit due to the fact that you have to be an authenticated admin user.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5