Bug 20554

Summary: CVE-2009-2288 Nagios "statuswml.cgi" Command Injection Vulnerability
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: nagiosAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: blocker    
Priority: P3 CC: crux, grenka, ldv, mike, nbr
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: http://secunia.com/advisories/35543/
Bug Depends on: 33309    
Bug Blocks:    

Description Vladimir Lettiev 2009-06-24 00:11:27 MSD 
Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation requires access to the ping feature of the WAP interface.

Fixed in nagios >= 3.1.1
Comment 1 Michael Shigorin 2013-10-31 16:16:27 MSK 
Если что, nagios у нас с 2009 года только пересобирался с новыми перлами.

* Mon Jan 12 2009 Dmitry Lebkov <dlebkov@altlinux> 3.0.6-alt1
Comment 3 Michael Shigorin 2019-10-06 17:14:26 MSK 
2 nbr: спасибо; у тебя ещё 3.0.6-alt7 есть -- может, закинь тоже в сизиф?