An attacker could leverage the vulnerability to execute arbitrary code

Feb 17, 2012 16:09 GMT  ·  By

Ucha Gobejishvili, also known as longrifle0x, the Georgian hacker featured in our Hackers around the world series, found a high-severity local file inclusion vulnerability in Pandora FMS 4.0.1, a powerful monitoring tool capable of monitoring networks, systems, applications and websites.

The Vulnerability Lab researcher identified the security hole and created a proof-of-concept video to show how an attacker could take advantage of the flaw to execute arbitrary code.

The expert uses the demo mode offered by Pandora to prove that an ill-intended hacker can manipulate the application to serve his malicious purposes.

File inclusion vulnerabilities are highly dangerous because they can allow code execution on the web server, and in some cases on the client side, which can ultimately lead to other attacks such as cross-site scripting (XSS) attacks.

Remote file inclusion flaws can also be used to induce a denial of service state and even for data theft.

Pandora has been notified of the issue and considering that numerous companies around the world rely on the software, being downloaded more than 500,000 times, we hope that they will address the problem soon.