Pandora FMS 'sec2' Parameter Local File Include Vulnerability

Bugtraq ID:	52058
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 17 2012 12:00AM
Updated:	Feb 17 2012 12:00AM
Credit:	Ucha Gobejishvili of Vulnerability Research Laboratory.
Vulnerable:	Pandora FMS Team Pandora FMS 4.0.1
Not Vulnerable:

Pandora FMS 'sec2' Parameter Local File Include Vulnerability

Pandora FMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

Pandora FMS 4.0.1 is vulnerable; other versions may also be affected.

Pandora FMS 'sec2' Parameter Local File Include Vulnerability

Attackers can exploit this issue through a browser.

The following example URI is available:

http://www.example.com/[ Path ]/index.php?sec=services&sec2=[FILE INCLUDE VULNERABILITY!]

Pandora FMS 'sec2' Parameter Local File Include Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

Pandora FMS 'sec2' Parameter Local File Include Vulnerability

References:

• Pandora FMS - Homepage (Pandora FMS Team)
  
• Pandora FMS v4.0.1 - Local File Include Vulnerability (Vulnerability Research Laboratory)