cbcvebase.
CVE-2010-4279
published 2010-12-02

CVE-2010-4279: The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.62%
99.2th percentile
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.

Affected

9 ranges
VendorProductVersion rangeFixed in
articapandora_fms<= 3.1
articapandora_fms
articapandora_fms
articapandora_fms
articapandora_fms
articapandora_fms
articapandora_fms
articapandora_fms
articapandora_fms

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1
hash21232f297a57a5a743894a0e4a801fc3
path/pandora_console/index.php
path/images/
commandGET /pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1
  • Detect HTTP GET requests to index.php with all three parameters: loginhash=1, loginhash_user=admin, and loginhash_data=21232f297a57a5a743894a0e4a801fc3 (MD5 of 'admin').
  • Alert on POST requests to /pandora_console/index.php with query parameters sec=gsetup&sec2=godmode/setup/file_manager combined with multipart file upload, indicating exploitation of the file upload primitive post-auth-bypass.
  • Monitor for newly created .php files inside the /pandora_console/images/ directory, as the exploit uploads a randomly named PHP payload (7 random digits + .php) there for remote code execution.
  • Check HTTP response bodies for the string 'Logout' following a loginhash GET request — the Metasploit module uses this as confirmation of successful authentication bypass.
  • Fingerprint vulnerable Pandora FMS versions by checking the login page body for the string 'v3.1 Build PC10060', which the Metasploit module uses to confirm a vulnerable target.
  • ·The vulnerability is only exploitable when the loginhash_pwd configuration value is an empty string, which is the default. Installations where this value has been set to a non-empty secret are not directly vulnerable to the trivial bypass.
  • ·Version 3.1.1 added a guard requiring loginhash_pwd to be non-empty before accepting hash-based logins, but still uses weak MD5. The fix recommends replacing md5($user.$key) with hash_hmac('sha256', $user, $key).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.