← Advisories

Centreon 2.6.1 Command Injection Vulnerability

High
Advisory ID
ZSL-2015-5265
Release Date
26 September 2015
Vendor
Centreon - https://www.centreon.com
Affected Version
2.6.1 (CES 3.2)
CVE
N/A
Tested On
CentOS 6.6 (Final), Apache/2.2.15, PHP/5.3.3
Summary

Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.

Description

The POST parameter 'persistant' which serves for making a new service run in the background is not properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross-site request forgery attacks.

Proof of Concept
centreon_cmdinj.txtTXT
Disclosure Timeline
10.08.2015Vulnerability discovered.
12.08.2015Vendor contacted.
13.08.2015Vendor replies asking more details.
13.08.2015Sent details to the vendor.
14.08.2015Vendor sends details to developing team.
19.08.2015Asked vendor for status update.
19.08.2015Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
25.08.2015Asked vendor for status update.
25.08.2015Vendor will get back to us by 15th of September because of holidays.
16.09.2015No reply from the vendor.
17.09.2015Informed vendor about public release.
17.09.2015Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
24.09.2015Vendor releases version 2.6.3 to fix remaining issues?
26.09.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html
[2]https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3]https://www.exploit-db.com/exploits/38339/
[4]https://packetstormsecurity.com/files/133754
[5]https://cxsecurity.com/issue/WLB-2015090167
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/106901
[7]https://secunia.com/advisories/66651/
Changelog
26.09.2015Initial release
07.10.2015Added reference [3], [4], [5] and [6]
10.11.2015Added reference [7]