A remote shell code injection flaw was found in statuswml.cgi script in nagios. A remote attacker able to access nagios web pages (usually protected by HTTP authentication) can run arbitrary commands with CGI script's (i.e. web server) privileges.
Upstream bug with additional details:
Upstream test case:
Access control defaults for nagios packages:
- By default, access to nagios web pages is only allowed for localhost.
- Additionally, access to pages is protected by HTTP authentication. There's no user created by default.
- Note: it seems that during nagios2 -> nagios3 transition, an attempt was made to provide default user/password (nagiosadmin:nagiosadmin) in .htpasswd file:
However, /etc/httpd/conf.d/nagios.conf file has not been updated and still references (non-existent) /etc/nagios/passwd file and not newly added /etc/nagios/.htpasswd file. Please correct me if I'm missing something here. I'm also not sure if there's a good reason to use .ht as file name prefix (file is not in web server's docroot).
Red Hat HPC Solution:
- Based on Fedora 2.x Fedora packages, so nagios package by default only allow access from localhost and requires authentication.
- However, kusu-nagios-config overwrites httpd/conf.d/nagios.conf file in its postinst script to allow access from any host by default and creates user with fixed default password (admin:admin). This default user name and password is documented in HPC installation guide, but it seems to lack instructions on how to change this default.
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
execute arbitrary commands via shell metacharacters in the (1) ping or
(2) Traceroute parameters.
This issue has been addressed in following products:
Red Hat HPC Solution for RHEL 5
Via RHSA-2009:1141 https://rhn.redhat.com/errata/RHSA-2009-1141.html
nagios-2.12-6.el4 has been submitted as an update for Fedora EPEL 4.
nagios-2.12-6.el5 has been submitted as an update for Fedora EPEL 5.
nagios-2.12-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
nagios-2.12-6.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.