In both the tools -> ping, and tools-> Traceroute WAP/WML pages, it is possible to inject arbitrary shell commands that are run as the same user as the statuswml.cgi is running as.
For example, a Ping with a Host Name/Address of “22.214.171.124;echo $PATH” (entered without the quotes) will return the output from the ping command and then execute and return the output from the “echo $PATH” command.
(i.e. https://somehost.com/nagios/cgi-bin/statuswml.cgi?ping=126.96.36.199%3Becho+%24PATH) [^]
Added the patch added 5 days ago in upstream CVS:
Versions rev-bumped and bumped:
Candidates for stabilization:
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Both stable on alpha.
ppc64 and ppc done
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
execute arbitrary commands via shell metacharacters in the (1) ping
or (2) Traceroute parameters.
doesn't the "nagios" ebuild need a bump as well?
(In reply to comment #9)
> doesn't the "nagios" ebuild need a bump as well?
no, it's just a meta-ebuild which pulls in actual nagios code (nagios-core).
sorry, i mistook the ~ for a =
(In reply to comment #11)
> sorry, i mistook the ~ for a =
no problem :)