OSVDB ID: 39227

Title: Centreon MakeXML4statusCounter.php fileOreonConf Parameter Remote File Inclusion

Info

Disclosure

Dec 14, 2007

Discovery

Unknown

Dates

Exploit

Dec 14, 2007

Solution

Unknown

Description

Centreon contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to MakeXML4statusCounter.php not properly sanitizing user input supplied to the fileOreonConf variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public, Exploit Unknown
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Centreon

1.4.1

References

CVE ID: 2007-6485 (see also: NVD)
Bugtraq ID: 26883
Secunia Advisory ID: 28112
ISS X-Force ID: 39065
Related OSVDB ID: 39226
Exploit Database: 4735
Milw0rm: 4735
Mail List Post: http://archives.neohapsis.com:80/archives/bugtraq/2007-12/0197.htm
Vendor URL: http://www.centreon.com/

Credit

Michael Brooks - michaelbrooksrooksecurity.com - Rook Security

Direct URL: http://osvdb.org/39227