On 8 Oct 2010, at 15:45, Jose Luis Martinez wrote:
El 07/10/2010 15:02, Ton Voon escribió:
On 7 Oct 2010, at 07:13, aero wrote:
My company's security team found a security flaws in opsview. even
for
3.9.0
Someone can execute shell command via URL( ex.
http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10
<http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10>
| ls
-l )
Hi Kang,
Thanks for the report. The patch is here:
https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare
<https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare>[]=
%2ftr...@5159&compare[]=%2ftr...@5160
Thanks for the quick response!
You are already on our contributor's list:
http://opsview.com/community/developer-zone/contributors
To Mr. Kang:
Thanks for the report, but, please do not disclose vulnerabilites in
public forums without giving the vendor a chance to fix them before.
This way security updates get distributed in a timely fashion and
everybody benefits from your work in an ordered way.
Just to defend Kang, we haven't stated how to contact us if you have a
security bug. We've updated the text at the top of the forum link:
http://www.opsview.com/forums/opsview-community-edition/bug-reports
so you should email us about security bugs before publicly disclosing.
I have also updated our incident tracker item (https://secure.opsera.com/jira/browse/OPS-1379
) with the conditions of the bug. As this only happens when someone is
already logged into Opsview AND they have ADMINACCESS, I think the
exposure is not so bad (compared with any public user being able to
execute arbitrary code).
Just for information, I've reported the bug back upstream to the NMIS
project ... on their mailing list. So I'm just as guilty as Kang :
( Point taken for next time.
Ton
_______________________________________________
Opsview-users mailing list
[email protected]
http://lists.opsview.org/lists/listinfo/opsview-users
