Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 275288 (CVE-2009-2288) - <net-analyzer/nagios-core-2.12-r1,3.0.6-r2 statuswml.cgi remote code exec (CVE-2009-2288)
Summary: <net-analyzer/nagios-core-2.12-r1,3.0.6-r2 statuswml.cgi remote code exec (CV...
Status: RESOLVED FIXED
Alias: CVE-2009-2288
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://tracker.nagios.org/view.php?id=15
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-24 13:28 UTC by Stefan Behte (RETIRED)
Modified: 2009-07-19 18:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 13:28:47 UTC
From $URL:

In both the tools -> ping, and tools-> Traceroute WAP/WML pages, it is possible to inject arbitrary shell commands that are run as the same user as the statuswml.cgi is running as.

For example, a Ping with a Host Name/Address of “173.45.235.65;echo $PATH” (entered without the quotes) will return the output from the ping command and then execute and return the output from the “echo $PATH” command.

(i.e. https://somehost.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH) [^]
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-24 21:27:50 UTC
Added the patch added 5 days ago in upstream CVS:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28&view=patch

Versions rev-bumped and bumped:
=net-analyzer/nagios-core-3.1.2
=net-analyzer/nagios-core-3.0.6-r2
=net-analyzer/nagios-core-2.12-r1

Candidates for stabilization:
=net-analyzer/nagios-core-3.0.6-r2
=net-analyzer/nagios-core-2.12-r1
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-26 05:51:18 UTC
Arches, please test and mark stable:
=net-analyzer/nagios-core-3.0.6-r2
=net-analyzer/nagios-core-2.12-r1
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-26 11:39:21 UTC
x86 stable
Comment 4 Tobias Klausmann gentoo-dev 2009-06-26 20:17:53 UTC
Both stable on alpha.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-06-27 13:07:30 UTC
ppc64 and ppc done
Comment 6 Markus Meier gentoo-dev 2009-06-28 11:57:50 UTC
amd64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 14:12:14 UTC
sparc stable
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-02 13:12:51 UTC
CVE-2009-2288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2288):
  statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
  execute arbitrary commands via shell metacharacters in the (1) ping
  or (2) Traceroute parameters.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:13:08 UTC
doesn't the "nagios" ebuild need a bump as well?
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-10 20:42:54 UTC
(In reply to comment #9)
> doesn't the "nagios" ebuild need a bump as well?
> 

no, it's just a meta-ebuild which pulls in actual nagios code (nagios-core).
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 21:39:00 UTC
sorry, i mistook the ~ for a =
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-10 22:00:22 UTC
(In reply to comment #11)
> sorry, i mistook the ~ for a =
> 

no problem :)
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-07-19 18:14:47 UTC
GLSA 200907-15