CVE-2008-4796OS Command Injection in Libphp-snoopy

CWE-78OS Command InjectionCWE-284Improper Access ControlCWE-77Command Injection21 documents8 sources
Severity
10.0CRITICALNVD
NVD9.8
EPSS
1.1%
top 22.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
WordpressNagiosDebian Libphp-snoopy+4 more
Timeline
PublishedOct 30
Latest updateMay 17

Description

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages7 packages

debiandebian/libphp-snoopy< libphp-snoopy 1.2.4-1 (bookworm)+1
NVDnagios/nagios< 4.2.2+2
debiandebian/wordpress< libphp-snoopy 1.2.4-1 (bookworm)
NVDwordpress/wordpress< 2.6.3

Also affects: Debian Linux 4.0, 5.0

Patches

Patch: sourceforge.netPatch: www.securityfocus.comPatch: sourceforge.net

🔴Vulnerability Details

6
GHSA
GHSA-wr36-qh3g-7h4v: The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands2022-05-17
GHSA
GHSA-828p-3vwg-wc22: MagpieRSS, as used in the front-end component in Nagios Core before 42022-05-14
GHSA
GHSA-g42h-8ph9-jmvx: The _httpsrequest function (Snoopy/Snoopy2022-05-13
OSV
CVE-2008-7313: The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands2017-03-31
OSV
CVE-2016-9565: MagpieRSS, as used in the front-end component in Nagios Core before 42016-12-15

📋Vendor Advisories

6
Red Hat
nagios: Command injection via curl in MagpieRSS2016-12-13
Red Hat
snoopy: incomplete fixes for command execution flaws2014-07-03
Ubuntu
Moodle vulnerabilities2009-06-24
Red Hat
snoopy: command execution via shell metacharacters2008-10-31
Debian
CVE-2008-4796: libphp-snoopy - The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier...2008

📐Framework References

1
CWE
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

💬Community

5
Bugzilla
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS2016-12-16
Bugzilla
CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws2014-07-21
Bugzilla
CVE-2008-4796 snoopy: command execution via shell metacharacters [epel-6]2013-04-30
Bugzilla
CVE-2008-4796 snoopy: command execution via shell metacharacters [fedora-all]2013-04-30
Bugzilla
CVE-2008-4796 snoopy: command execution via shell metacharacters2008-10-31
CVE-2008-4796 — OS Command Injection in Libphp-snoopy | cvebase