op5 Monitor Nacoma command execution

2016-07-01T00:00:00
ID SAINT:75BBE86192148D2E1B645F76FBE5E310
Type saint
Reporter SAINT Corporation
Modified 2016-07-01T00:00:00

Description

Added: 07/01/2016

Background

op5 Monitor is an open-source monitoring solution written in PHP.

Problem

The **command_test.php** script in the Nacoma component of op5 Monitor can be used to execute arbitrary operating system commands.

Resolution

Upgrade to op5 Monitor 7.2.0 or higher.

References

<http://www.securityfocus.com/archive/1/537992>
<https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/>

Limitations

Exploit works on op5 Monitor 7.1.9 and requires valid credentials. (The default "monitor" account may be used.)