The nagios CGI scripts did not sufficiently check the validity of the
HTTP Content-Length attribute. By sending a specially crafted HTTP
request with a negative Content-Length value to the Nagios server, a
remote attacker could exploit this to execute arbitrary code with web
server privileges.
Please note that the Apache 2 web server already checks for valid
Content-Length values, so installations using Apache 2 (the only web
server officially supported in Ubuntu) are not vulnerable to this
flaw.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 5.10 | noarch | nagios-common | <Â * | UNKNOWN |
Ubuntu | 5.04 | noarch | nagios-common | <Â * | UNKNOWN |