Vulnerability CVE-2010-4282

Vulnerability CVE-2010-4282

Published: 2010-12-02 Modified: 2012-02-13

Description:

Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.

See advisories in our WLB2 database:

	Topic	Author	Date
Med.	Pandora FMS <= 3.1 Path Traversal and LFI	Juan Galiana Lar...	03.12.2010

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Artica -> Pandora fms

References:

http://seclists.org/fulldisclosure/2010/Nov/326

http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download

http://www.exploit-db.com/exploits/15643

http://www.securityfocus.com/archive/1/514939/100/0/threaded

http://www.securityfocus.com/bid/45112

Vulnerability CVE-2010-4282

See advisories in our WLB2 database:

Med.

Pandora FMS <= 3.1 Path Traversal and LFI

CWE-22

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Remote

Low

No required

Partial

Partial

Partial

Affected software

References: