Bug 20554 - CVE-2009-2288 Nagios "statuswml.cgi" Command Injection Vulnerability
Summary: CVE-2009-2288 Nagios "statuswml.cgi" Command Injection Vulnerability
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: nagios (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-sisyphus
URL: http://secunia.com/advisories/35543/
Keywords: security
Depends on: 33309
Blocks:
  Show dependency tree
 
Reported: 2009-06-24 00:11 MSD by Vladimir Lettiev
Modified: 2019-10-06 17:14 MSK (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-06-24 00:11:27 MSD 
Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation requires access to the ping feature of the WAP interface.

Fixed in nagios >= 3.1.1
Comment 1 Michael Shigorin 2013-10-31 16:16:27 MSK 
Если что, nagios у нас с 2009 года только пересобирался с новыми перлами.

* Mon Jan 12 2009 Dmitry Lebkov <dlebkov@altlinux> 3.0.6-alt1
Comment 3 Michael Shigorin 2019-10-06 17:14:26 MSK 
2 nbr: спасибо; у тебя ещё 3.0.6-alt7 есть -- может, закинь тоже в сизиф?