Bugzilla – Bug 1016483
VUL-0: CVE-2008-4796: nagios: snoopy: command execution via shell metacharacters
Last modified: 2017-12-02 01:18:57 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. References: http://www.openwall.com/lists/oss-security/2008/11/01/1 http://www.vupen.com/english/advisories/2008/2901 http://www.securityfocus.com/archive/1/archive/1/496068/100/0/threaded http://xforce.iss.net/xforce/xfdb/46068 http://secunia.com/advisories/32361 http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html http://jvn.jp/en/jp/JVN20502807/index.html http://sourceforge.net/forum/forum.php?forum_id=879959 http://www.securityfocus.com/bid/31887
embedded in Nagios as ./nagios/html/includes/rss/extlib/Snoopy.class.inc
Created attachment 707199 [details] CVE-2008-4796.patch patch extract from https://github.com/NagiosEnterprises/nagioscore.git commit 34d8a8b27a82bdbfa66daa74f484431e423f0ea7
its in nagios-www ... not shipped on SLE 12, but on SLE11 *
sle11 - does not include snoopy sle12 - does not ship nagios-www leap - affected.
bugbot adjusting priority
Patches packages submitted for 42.2, 42.3 and SLE12.