The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.

Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.

A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges to root.

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.

The remote host is affected by the vulnerability described in GLSA-201702-26 (Nagios: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Nagios. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker, who either is already Nagios&rsquo;s system user or       belongs to Nagios&rsquo;s group, could potentially escalate privileges.
    In addition, a remote attacker could read or write to arbitrary files by       spoofing a crafted response from the Nagios RSS feed server.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-6762     It was discovered that wordpress is prone to an open     redirect vulnerability which allows remote attackers to     conduct phishing attacks.

  - CVE-2008-6767     It was discovered that remote attackers had the ability     to trigger an application upgrade, which could lead to a     denial of service attack.

  - CVE-2009-2334     It was discovered that wordpress lacks authentication     checks in the plugin configuration, which might leak     sensitive information.

  - CVE-2009-2854     It was discovered that wordpress lacks authentication     checks in various actions, thus allowing remote     attackers to produce unauthorised edits or additions.

  - CVE-2009-2851     It was discovered that the administrator interface is     prone to a cross-site scripting attack.

  - CVE-2009-2853     It was discovered that remote attackers can gain     privileges via certain direct requests.

  - CVE-2008-1502     It was discovered that the _bad_protocol_once function     in KSES, as used by wordpress, allows remote attackers     to perform cross-site scripting attacks.

  - CVE-2008-4106     It was discovered that wordpress lacks certain checks     around user information, which could be used by     attackers to change the password of a user.

  - CVE-2008-4769     It was discovered that the get_category_template     function is prone to a directory traversal     vulnerability, which could lead to the execution of     arbitrary code.

  - CVE-2008-4796     It was discovered that the _httpsrequest function in the     embedded snoopy version is prone to the execution of     arbitrary commands via shell metacharacters in https     URLs.

  - CVE-2008-5113     It was discovered that wordpress relies on the REQUEST     superglobal array in certain dangerous situations, which     makes it easier to perform attacks via crafted cookies.

Thor Larholm discovered that PHPMailer, as used by Moodle, did not correctly escape email addresses. A local attacker with direct access to the Moodle database could exploit this to execute arbitrary commands as the web server user. (CVE-2007-3215)

Nigel McNie discovered that fetching https URLs did not correctly escape shell meta-characters. An authenticated remote attacker could execute arbitrary commands as the web server user, if curl was installed and configured. (CVE-2008-4796, MSA-09-0003)

It was discovered that Smarty (also included in Moodle), did not correctly filter certain inputs. An authenticated remote attacker could exploit this to execute arbitrary PHP commands as the web server user. (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)

It was discovered that the unused SpellChecker extension in Moodle did not correctly handle temporary files. If the tool had been locally modified, it could be made to overwrite arbitrary local files via symlinks. (CVE-2008-5153)

Mike Churchward discovered that Moodle did not correctly filter Wiki page titles in certain areas. An authenticated remote attacker could exploit this to cause cross-site scripting (XSS), which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5432, MSA-08-0022)

It was discovered that the HTML sanitizer, 'Login as' feature, and logging in Moodle did not correctly handle certain inputs. An authenticated remote attacker could exploit this to generate XSS, which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026, MSA-09-0004, MSA-09-0007)

It was discovered that the HotPot module in Moodle did not correctly filter SQL inputs. An authenticated remote attacker could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service. (CVE-2008-6124, MSA-08-0010)

Kevin Madura discovered that the forum actions and messaging settings in Moodle were not protected from cross-site request forgery (CSRF).
If an authenticated user were tricked into visiting a malicious website while logged into Moodle, a remote attacker could change the user's configurations or forum content. (CVE-2009-0499, MSA-09-0008, MSA-08-0023)

Daniel Cabezas discovered that Moodle would leak usernames from the Calendar Export tool. A remote attacker could gather a list of users, leading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)

Christian Eibl discovered that the TeX filter in Moodle allowed any function to be used. An authenticated remote attacker could post a specially crafted TeX formula to execute arbitrary TeX functions, potentially reading any file accessible to the web server user, leading to a loss of privacy. (CVE-2009-1171, MSA-09-0009)

Johannes Kuhn discovered that Moodle did not correctly validate user permissions when attempting to switch user accounts. An authenticated remote attacker could switch to any other Moodle user, leading to a loss of privacy. (MSA-08-0003)

Hanno Boeck discovered that unconfigured Moodle instances contained XSS vulnerabilities. An unauthenticated remote attacker could exploit this to modify or steal confidential data of other users within the same web domain. (MSA-08-0004)

Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra Montesinos discovered that when users were deleted from Moodle, their profiles and avatars were still visible. An authenticated remote attacker could exploit this to store information in profiles even after they were removed, leading to spam traffic. (MSA-08-0015, MSA-09-0001, MSA-09-0002)

Lars Vogdt discovered that Moodle did not correctly filter certain inputs. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MSA-08-0021)

It was discovered that Moodle did not correctly filter inputs for group creation, mnet, essay question, HOST param, wiki param, and others. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793, MDL-14806)

It was discovered that Moodle did not correctly filter SQL inputs when performing a restore. An attacker authenticated as a Moodle administrator could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service.
(MDL-11857).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fix for cron job, also fix for CVE-2008-4796. Upgrade to new upstream, fix cron bug.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution.

Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276).

Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023).

Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755).

SQL injection issue in the hotpot module (MSA-08-0010).

An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810 ). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796 ). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502 ).

http://wordpress.org/development/2008/10/wordpress-263/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Wordpress development team reports :

A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately.

ID	Name	Product	Family	Severity
103651	Amazon Linux AMI : nagios (ALAS-2017-899)	Nessus	Amazon Linux Local Security Checks	critical
97269	GLSA-201702-26 : Nagios: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
44736	Debian DSA-1871-1 : wordpress - several vulnerabilities	Nessus	Debian Local Security Checks	critical
39516	Ubuntu 8.04 LTS / 8.10 : moodle vulnerabilities (USN-791-1)	Nessus	Ubuntu Local Security Checks	critical
37315	Fedora 10 : moodle-1.9.3-3.fc10 (2008-9903)	Nessus	Fedora Local Security Checks	critical
35254	Debian DSA-1691-1 : moodle - several vulnerabilities	Nessus	Debian Local Security Checks	critical
34722	Fedora 9 : moodle-1.9.3-3.fc9 (2008-9508)	Nessus	Fedora Local Security Checks	critical
34721	Fedora 8 : moodle-1.8.7-1.fc8 (2008-9502)	Nessus	Fedora Local Security Checks	critical
34713	Fedora 8 : wordpress-2.6.3-1.fc8 (2008-9304)	Nessus	Fedora Local Security Checks	critical
34712	Fedora 9 : wordpress-2.6.3-1.fc9 (2008-9257)	Nessus	Fedora Local Security Checks	critical
34496	FreeBSD : wordpress -- snoopy '_httpsrequest()' shell command execution vulnerability (3a4a3e9c-a1fe-11dd-81be-001c2514716c)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2008-4796

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical