cbcvebase.
CVE-2009-2288
published 2009-07-01

CVE-2009-2288: statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute…

PriorityP278high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.45%
99.6th percentile
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.

Affected

18 ranges
VendorProductVersion rangeFixed in
nagiosnagios<= 3.1.0
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios

Detection & IOCsextracted from sources · hover to see the quote

path/nagios3/cgi-bin/statuswml.cgi
path/nagios/cgi-bin/statuswml.cgi
urlhttps://www.example.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH
commandPOST /nagios3/cgi-bin/statuswml.cgi with ping=;<payload>&
  • Detect POST requests to statuswml.cgi containing shell metacharacters (semicolon, ampersand) in the 'ping' or 'traceroute' parameters, which indicate command injection attempts.
  • Monitor HTTP responses from statuswml.cgi for the string 'Invalid host name' — its absence after a crafted ping request may indicate a vulnerable (unpatched) server.
  • Alert on HTTP Basic Authorization headers sent to statuswml.cgi via POST, especially combined with a 'ping' parameter value beginning with a semicolon.
  • Flag GET requests to statuswml.cgi where the 'ping' parameter contains URL-encoded shell metacharacters such as %3B (semicolon).
  • ·Exploitation requires that access to the WAP interface's ping feature is enabled/allowed; environments with this feature disabled are not directly exploitable via this vector.
  • ·The exploit uses HTTP Basic Authentication; valid credentials (default: guest/guest in the Metasploit module) are required for the attack to reach the vulnerable code path.
  • ·The payload bad characters are '<' and '>', meaning payloads containing these characters will not function correctly through this injection vector.
  • ·Only Nagios versions prior to 3.1.1 are vulnerable; patched servers return 'Invalid host name' in the response body when the injection is attempted.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.