SAINT CorporationSAINT:3F2EC0DDADDD3ADF99F0284A01B16D1CNagios statuswml.cgi Command Injection
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.6%
Added: 04/13/2010
CVE: CVE-2009-2288
BID: 35464
OSVDB: 55281
Background
Nagios is a network host and service monitoring and management system.
Problem
The Nagios statuswml.cgi script passes unsanitized data to the ping and traceroute commands, resulting in shell command execution via metacharacters. A successful remote attacker could use a specially crafted request to execute arbitrary commands.
Resolution
Upgrade to Nagios 3.1.1 or later.
References
<http://secunia.com/advisories/35543/>
Limitations
Exploit works on Nagios 2.11.
Valid Nagios user credentials must be provided.
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.6%