Nagios statuswml.cgi Command Injection

Added: 04/13/2010
CVE: CVE-2009-2288
BID: 35464
OSVDB: 55281

Background

Nagios is a network host and service monitoring and management system.

Problem

The Nagios statuswml.cgi script passes unsanitized data to the ping and traceroute commands, resulting in shell command execution via metacharacters. A successful remote attacker could use a specially crafted request to execute arbitrary commands.

Resolution

Upgrade to Nagios 3.1.1 or later.

References

http://secunia.com/advisories/35543/

Limitations

Exploit works on Nagios 2.11.
Valid Nagios user credentials must be provided.
Back to exploit index