El 07/10/2010 15:02, Ton Voon escribió:
On 7 Oct 2010, at 07:13, aero wrote:
My company's security team found a security flaws in opsview. even for
3.9.0
Someone can execute shell command via URL( ex.
http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10
<http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10> | ls
-l )
Hi Kang,
Thanks for the report. The patch is here:
https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare
<https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare>[]=%2ftr...@5159&compare[]=%2ftr...@5160
Thanks for the quick response!
You are already on our contributor's list:
http://opsview.com/community/developer-zone/contributors
To Mr. Kang:
Thanks for the report, but, please do not disclose vulnerabilites in
public forums without giving the vendor a chance to fix them before.
This way security updates get distributed in a timely fashion and
everybody benefits from your work in an ordered way.
Best Regards,
Jose Luis Martinez
[email protected]
_______________________________________________
Opsview-users mailing list
[email protected]
http://lists.opsview.org/lists/listinfo/opsview-users
