Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275288 (CVE-2009-2288) - <net-analyzer/nagios-core-2.12-r1,3.0.6-r2 statuswml.cgi remote code exec (CVE-2009-2288)
Summary: <net-analyzer/nagios-core-2.12-r1,3.0.6-r2 statuswml.cgi remote code exec (CV...
Alias: CVE-2009-2288
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2009-06-24 13:28 UTC by Stefan Behte (RETIRED)
Modified: 2009-07-19 18:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 13:28:47 UTC
From $URL:

In both the tools -> ping, and tools-> Traceroute WAP/WML pages, it is possible to inject arbitrary shell commands that are run as the same user as the statuswml.cgi is running as.

For example, a Ping with a Host Name/Address of “;echo $PATH” (entered without the quotes) will return the output from the ping command and then execute and return the output from the “echo $PATH” command.

(i.e. [^]
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-24 21:27:50 UTC
Added the patch added 5 days ago in upstream CVS:

Versions rev-bumped and bumped:

Candidates for stabilization:
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-26 05:51:18 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-26 11:39:21 UTC
x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-26 20:17:53 UTC
Both stable on alpha.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-06-27 13:07:30 UTC
ppc64 and ppc done
Comment 6 Markus Meier gentoo-dev 2009-06-28 11:57:50 UTC
amd64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 14:12:14 UTC
sparc stable
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-02 13:12:51 UTC
CVE-2009-2288 (
  statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
  execute arbitrary commands via shell metacharacters in the (1) ping
  or (2) Traceroute parameters.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:13:08 UTC
doesn't the "nagios" ebuild need a bump as well?
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-10 20:42:54 UTC
(In reply to comment #9)
> doesn't the "nagios" ebuild need a bump as well?

no, it's just a meta-ebuild which pulls in actual nagios code (nagios-core).
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 21:39:00 UTC
sorry, i mistook the ~ for a =
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-10 22:00:22 UTC
(In reply to comment #11)
> sorry, i mistook the ~ for a =

no problem :)
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-07-19 18:14:47 UTC
GLSA 200907-15