Release date:
Updated on:
Affected Systems:
Centreon <2.4.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56911
CVE (CAN) ID: CVE-2012-5967
Centreon is an open-source software used to work with nagios. It manages nagios through pages and monitors networks, operating systems, and applications through third-party components.
Centreon 2.3.3-2.3.9-4 and other versions of menuXML. the 'menu 'parameter in the PHP file has the SQL injection vulnerability. An SQL statement is injected after the menu parameter, for example, AND SLEEP (5) AND 'mehl' = 'mehl, the Web application will be suspended for 5 seconds. Remote attackers can exploit this vulnerability to operate databases without authorization.
<* Source: Tom Gregory
Link: http://www.kb.cert.org/vuls/id/856892
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Menu = & #39; and sleep (5) AND & #39; meHL & #39 ;=& #39; meHL
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Centreon
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://forge.centreon.com/projects/centreon/repository/revisions/13749