Software Engineering Institute

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-3829

Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-3828
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to SQL injection in the following php components:
http://server/centreon/include/views/graphs/common/makeXML_ListMetrics.php
http://server/centreon/include/views/graphs/GetXmlTree.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php
http://server/centreon/include/configuration/configObject/traps/GetXMLTrapsForVendor.php
http://server/centreon/include/common/javascript/commandGetArgs/cmdGetExample.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php

Rapid7 reports that prior versions back to 2.0 may be affected. See the Rapid7 advisory for more details.

A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.

The CERT/CC is currently unaware of a practical solution to this problem.