FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nagios -- Command Injection Vulnerability

Affected packages
nagios <= 3.0.6_1
nagios2 <= 2.12_3
nagios-devel <= 3.1.0_1

Details

VuXML ID 3ebd4cb5-657f-11de-883a-00e0815b8da8
Discovery 2009-05-29
Entry 2009-06-30
Modified 2009-07-13

Secunia reports:

A vulnerability has been reported in Nagios, which can be exploited by malicious users to potentially compromise a vulnerable system.

Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.

Successful exploitation requires access to the ping feature of the WAP interface.

References

CVE Name CVE-2009-2288
URL http://secunia.com/advisories/35543
URL http://tracker.nagios.org/view.php?id=15