[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [PT-2013-46] Local File Include in Nagios Looking Glass
From: noreply () ptsecurity ! ru
Date: 2013-10-28 10:18:19
Message-ID: 201310281018.r9SAIJQm021887 () sf01web3 ! securityfocus ! com
[Download RAW message or body]
-----------------------------------------------------------
(PT-2013-46) Positive Technologies Security Advisory
Local File Include in Nagios Looking Glass
-----------------------------------------------------------
---[ Vulnerable software ]
Nagios Looking Glass
Version: 1.1.0 beta 2 and earlier
Link:
http://exchange.nagios.org/directory/Addons/Frontends-(GUIs-and-CLIs)/Web-Interfaces/Nagios-Looking-Glass/details
---[ Severity level ]
Severity level: High
Impact: Files Reading
Access Vector: Remote
CVSS v2:
Base Score: 7.8
Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)
CVE: not assigned
---[ Software description ]
Nagios Looking Glass (NLG) is a web-based interface for Nagios that allows you to \
show at-a-glance, real-time server status to 3rd parties without giving them direct \
access to Nagios.
---[ Vulnerability description ]
The specialists of the Positive Research center have detected a Local File Include \
vulnerability in Nagios Looking Glass.
Application don't validates input data. That allows attackers to read config file. To \
exploit this vulnerability remote attacker shouldn't have privileges in Nagios \
Looking Glass. Vulnerability exists in server/s3_download.php.
---[ How to fix ]
No solution
---[ Advisory status ]
19.07.2013 - Vendor gets vulnerability details
13.08.2013 - Vulnerability details were sent to CERT
28.10.2013 - Public disclosure
---[ Credits ]
The vulnerability was detected by Vyacheslav Egoshin, Positive Research Center \
(Positive Technologies Company)
---[ References ]
http://en.securitylab.ru/lab/PT-2013-46
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic