Long Long threads~ What a surprise! I already knew what Ton said ( "this only happens when someone is already logged into Opsview AND they have ADMINACCESS" ). So I seriously didn't think I would have to keep it secret.
Anyway, I am sorry for my carelessness. Thanks you all who offend or defend me. :) On Sat, Oct 9, 2010 at 12:07 AM, Ton Voon <[email protected]> wrote: > > On 8 Oct 2010, at 15:45, Jose Luis Martinez wrote: > > El 07/10/2010 15:02, Ton Voon escribió: > > > On 7 Oct 2010, at 07:13, aero wrote: > > > My company's security team found a security flaws in opsview. even for > > 3.9.0 > > > Someone can execute shell command via URL( ex. > > http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10 > > <http://opsviewurl/cgi-nmis/admin.pl?admin=ping&node=10.10.10.10> | ls > > -l ) > > > Hi Kang, > > > Thanks for the report. The patch is here: > > https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare > > <https://secure.opsera.com/wsvn/wsvn/opsview?op=comp&compare > >[]=%2ftr...@5159&compare[]=%2ftr...@5160 > > > Thanks for the quick response! > > You are already on our contributor's list: > > http://opsview.com/community/developer-zone/contributors > > > To Mr. Kang: > Thanks for the report, but, please do not disclose vulnerabilites in > public forums without giving the vendor a chance to fix them before. > This way security updates get distributed in a timely fashion and > everybody benefits from your work in an ordered way. > > > Just to defend Kang, we haven't stated how to contact us if you have a > security bug. We've updated the text at the top of the forum link: > > http://www.opsview.com/forums/opsview-community-edition/bug-reports > > so you should email us about security bugs before publicly disclosing. > > I have also updated our incident tracker item ( > https://secure.opsera.com/jira/browse/OPS-1379) with the conditions of the > bug. As this only happens when someone is already logged into Opsview AND > they have ADMINACCESS, I think the exposure is not so bad (compared with any > public user being able to execute arbitrary code). > > Just for information, I've reported the bug back upstream to the NMIS > project ... on their mailing list. So I'm just as guilty as Kang :( Point > taken for next time. > > Ton > > > _______________________________________________ > Opsview-users mailing list > [email protected] > http://lists.opsview.org/lists/listinfo/opsview-users > >
_______________________________________________ Opsview-users mailing list [email protected] http://lists.opsview.org/lists/listinfo/opsview-users
