[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [PT-2013-46] Local File Include in Nagios Looking Glass
From:       noreply () ptsecurity ! ru
Date:       2013-10-28 10:18:19
Message-ID: 201310281018.r9SAIJQm021887 () sf01web3 ! securityfocus ! com
[Download RAW message or body]

-----------------------------------------------------------
  (PT-2013-46) Positive Technologies Security Advisory 
      Local File Include in Nagios Looking Glass
-----------------------------------------------------------

---[ Vulnerable software ]

Nagios Looking Glass 
Version: 1.1.0 beta 2 and earlier

Link: 
http://exchange.nagios.org/directory/Addons/Frontends-(GUIs-and-CLIs)/Web-Interfaces/Nagios-Looking-Glass/details


---[ Severity level ]

Severity level:	High 
Impact:	Files Reading 
Access Vector:	Remote 
CVSS v2: 
Base Score: 7.8 
Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

CVE: not assigned

---[ Software description ]

Nagios Looking Glass (NLG) is a web-based interface for Nagios that allows you to \
show at-a-glance, real-time server status to 3rd parties without giving them direct \
access to Nagios.

---[ Vulnerability description ]

The specialists of the Positive Research center have detected a Local File Include \
vulnerability in Nagios Looking Glass.

Application don't validates input data. That allows attackers to read config file. To \
exploit this vulnerability remote attacker shouldn't have privileges in Nagios \
Looking Glass.  Vulnerability exists in server/s3_download.php.

---[ How to fix ]

No solution

---[ Advisory status ]

19.07.2013 - Vendor gets vulnerability details 
13.08.2013 - Vulnerability details were sent to CERT 
28.10.2013 - Public disclosure

---[ Credits ]

The vulnerability was detected by Vyacheslav Egoshin, Positive Research Center \
(Positive Technologies Company)

---[ References ]

http://en.securitylab.ru/lab/PT-2013-46 
Reports on the vulnerabilities previously discovered by Positive Research:

http://www.ptsecurity.com/research/advisory/ 
http://en.securitylab.ru/lab/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic