Centreon web interface command injection

2016-02-29T00:00:00
ID SAINT:25358353CEBB5E0CF2010280B183CF66
Type saint
Reporter SAINT Corporation
Modified 2016-02-29T00:00:00

Description

Added: 02/29/2016

Background

Centreon is a suite of enterprise monitoring products written in PHP.

Problem

A command injection vulnerability in the Centreon web interface allows remote attackers to execute arbitrary commands by sending a specially crafted **useralias** parameter in a POST request. The commands are executed when the error triggered by the request is written to a log file by the **centreonLog** class.

Resolution

Upgrade to Centreon 2.5.4 or higher.

References

<https://www.exploit-db.com/exploits/39501/>