Bug 20554

Summary:	CVE-2009-2288 Nagios "statuswml.cgi" Command Injection Vulnerability
Product:	Sisyphus	Reporter:	Vladimir Lettiev <crux>
Component:	nagios	Assignee:	serjigva <serjigva>
Status:	CLOSED FIXED	QA Contact:	qa-sisyphus
Severity:	blocker
Priority:	P3	CC:	grenka, ldv, mike, serjigva
Version:	unstable	Keywords:	security
Hardware:	all
OS:	Linux
URL:	http://secunia.com/advisories/35543/
Bug Depends on:	33309
Bug Blocks:

Description Vladimir Lettiev 2009-06-24 00:11:27 MSD

Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation requires access to the ping feature of the WAP interface.

Fixed in nagios >= 3.1.1

Comment 1 Michael Shigorin 2013-10-31 16:16:27 MSK

Если что, nagios у нас с 2009 года только пересобирался с новыми перлами.

* Mon Jan 12 2009 Dmitry Lebkov <dlebkov@altlinux> 3.0.6-alt1

Comment 2 nbr 2019-10-05 20:49:06 MSK

http://git.altlinux.org/gears/n/nagios.git?p=nagios.git;a=commit;h=75c99281c4cf3023ad62d323801542bb9ac9ac72

Comment 3 Michael Shigorin 2019-10-06 17:14:26 MSK

2 nbr: спасибо; у тебя ещё 3.0.6-alt7 есть -- может, закинь тоже в сизиф?