A vulnerability has been reported in Nagios, which can be exploited by malicious users to potentially compromise a vulnerable system. Input passed to the "ping" parameter in statuswml.cgi is not properly sanitized before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands. Additional research revealed that this parameter is vulnerable to Cross-Site Request Forgery. This module exploits the XSRF vulnerability in order to install an agent using the command injection vulnerability.
Monday, August 24, 2009 - 00:00