Bug #3532

CVE-2012-6096 - history.cgi remote command execution

Added by dnsmichi over 2 years ago. Updated 8 months ago.

Status:ResolvedStart date:01/13/2013
Priority:NormalDue date:
Assignee:dnsmichi% Done:

100%

Category:Classic UI
Target version:Icinga 1.x - 1.9
Icinga Version:1.8.3 OS Version:any

Description

there's a cve floating around the net with the subject "CVE-2012-6096 - Nagios history.cgi Remote Command Execution" which may affect Icinga as well, having the same code base as Nagios in this regard.

tests have unveiled, that without authorization (or by given auth credentials), this cve is valid. though, Icinga requires some more changes on that.

since there are some other bugfixes on the plate for 1.8.4, we'll port the nagios patch, after having investigated their patch for a while now. furthermore, this patch must be backported to existing 1.7.x and 1.6.x branches

Associated revisions

Revision 747736d5
Added by Michael Friedrich over 2 years ago

possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

refs #3532

Revision 71427661
Added by Michael Friedrich over 2 years ago

possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

refs #3532

Revision 46f55574
Added by Michael Friedrich over 2 years ago

possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

refs #3532

Conflicts:
cgi/cgiutils.c
cgi/status.c

Revision 600418ef
Added by Michael Friedrich over 2 years ago

possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

refs #3532

Conflicts:
cgi/cgiutils.c
cgi/status.c

History

#1 Updated by dnsmichi over 2 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

#3 Updated by dnsmichi 8 months ago

  • Project changed from 19 to Core, Classic UI, IDOUtils
  • Category changed from 52 to Classic UI
  • OS Version set to any

Also available in: Atom PDF