SAINT CorporationSAINT:CF40F181C3D8F16360A39D351D1C9AF0Nagios statuswml.cgi Command Injection
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.97 High
EPSS
Percentile
99.7%
Added: 04/13/2010
CVE: CVE-2009-2288
BID: 35464
OSVDB: 55281
Background
Nagios is a network host and service monitoring and management system.
Problem
The Nagios statuswml.cgi script passes unsanitized data to the ping and traceroute commands, resulting in shell command execution via metacharacters. A successful remote attacker could use a specially crafted request to execute arbitrary commands.
Resolution
Upgrade to Nagios 3.1.1 or later.
References
<http://secunia.com/advisories/35543/>
Limitations
Exploit works on Nagios 2.11.
Valid Nagios user credentials must be provided.
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.97 High
EPSS
Percentile
99.7%