Centreon web interface command injection

Added: 02/29/2016

Background

Centreon is a suite of enterprise monitoring products written in PHP.

Problem

A command injection vulnerability in the Centreon web interface allows remote attackers to execute arbitrary commands by sending a specially crafted useralias parameter in a POST request. The commands are executed when the error triggered by the request is written to a log file by the centreonLog class.

Resolution

Upgrade to Centreon 2.5.4 or higher.

References

https://www.exploit-db.com/exploits/39501/

Back to exploit index