On 10/07/2010 02:13 AM, aero wrote:
Hello,
My company's security team found a security flaws in opsview. even for 3.9.0
Someone can execute shell command via URL( ex.
http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10
<http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10> | ls -l )
Please fix it.
Thank you.
Hello [email protected]
As distressing as it is to see this well-known type of vulnerability in
2010, people do make mistakes and software will always have flaws in it.
You do a service by reporting this. Thank you,
That said, I hope that you considered whether posting it to a public
forum without giving the vendor an opportunity to fix it was the correct
choice for the community. I see no indication in your posting that you
notified Opsera and they were unresponsive, so I'm guessing that didn't
happen?
If you considered this, and believe you made an ethical choice, fine, I
won't argue with you. I'm just asking you to be mindful before hitting
send in public.
Sincerely,
John Coleman
_______________________________________________
Opsview-users mailing list
[email protected]
http://lists.opsview.org/lists/listinfo/opsview-users
