PenTest Information:
====================
~Remove & ~FinalBeta discover multiple Vulnerabilities on Pandora FMS Monitoring Software.
A remote attacker is able to get sensitive customer data over multiple Vulnerabilities (remote & local).


Details
=======
Tested on OS:		Debian|Linux & Windows Vista
Tested with Software:	Mozilla Firefox 3.5.x (Portable|Mod);Tamper;Sfek;IE8;Conquerer

Vulnerable Products: 	Pandora FMS Monitoring & Pandora FMS VMWare-Image
Affected Versions: 	v2.1.x  &  v1.3.1
Vulnerability Type:	SQL-Injection, Local File-Inclusion & Multiple Input Validation Errors (XSS/CSRF Server-Side)
Security-Risk: 		High; Medium; Medium

Vendor-URL: 		http://pandorafms.org/
Source-URL:		http://pandorafms.org/index.php?sec=project&sec2=downloads&lang=en

Vendor-Status: 		Informed
Patch/Fix-Status:	Fixed version not released
Advisory-Status:	Published | 07.10.2009

Advisory-URL: 		http://www.global-evolution.info/news/files/pandora/Pandora-FMS-Monitoring.txt
Report-URL:		http://www.global-evolution.info/news/?p=792



Introduction
============
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.
    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.



(Copy from the Vendor's Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)



More Details
============
1.1
Multiple Input Validation Vulnerabilities are detected on serverside. A potencial attacker is able 
to include own bad Scriptroutines on server-side(Example;JS). Attackers can get Session-Data(Cookies) of Customers. 
This vulnerabilities can be exploited by potencial Attackers. CSRF & XSS Attacks on server-side are possible.

Screen:
../extern-site-include.png
../login-fail.png
../webcon.png

1.2
This Vulnerability can be used by restricted Users to delete the hole Serverlist without permission or restriction(no control!). 
Can be used over restricted customer accounts.

Example Screens:
../csrf.png


1.3
The Parameter loads all existing Filename with .php ending. So its possible to load any .php file in the same area with
complete content. the result is a local file-inclusion vulnerability.

Example Screens:
../lfi.png


1.3
Potencial Attackers can execute SQL-Statements over the "Notes attached to incident" function of the monitoring application.

Example Screens:
../sql-ij.png





Proof of Concept
================
For demonstration ...

1.1a Client-Side
http://127.0.0.1:80/pandora/index.php?keywords=[XSS]&head_search_keywords=abc
http://127.0.0.1:80/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=[XSS]
http://127.0.0.1:80/pandora/index.php?sec=eventos&sec2=operation/events/events&search=Alert%20fired%20%28Host%20Alive%29&event_type=&
severity=-1&status=0&ev_group=1&refr=5&id_agent=4&id_event=-1&pagination=20&group_rep=0&event_view_hr=1&id_user_ack=0&pure=[XSS!]&offset=160
http://127.0.0.1:80/pandora/ajax.php?page=godmode/alerts/alert_templates&get_template_tooltip=[XSS]&id_template=58

1.1b Server-Side
http://127.0.0.1:80/pandora/index.php?login=
http://127.0.0.1:80/pandora/index.php?sec=inventory&sec2=[XSS]
http://127.0.0.1:80/pandora/index.php?sec=incidencias&sec2=operation/incidents/incident_detail&id=[XSS]
http://127.0.0.1:80/pandora/index.php?sec=dashboard&sec2=enterprise/dashboard/main_dashboard&delete_dashboard=1&id=[XSS]
http://127.0.0.1:80/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=[XSS]

Best Link of 1.1 ...
http://127.0.0.1:80/pandora/index.php?sec=messages&sec2=operation/messages/message&new_msg=1


1.2
>"<iframe src=http://127.0.0.1:80/pandora/index.php?sec=gservers&sec2=godmode/servers/modificar_server&server_del=9&delete=1>


1.3
http://127.0.0.1:80/pandora/ajax.php?page=[LFI]&get_template_tooltip=1&id_template=58


1.4
http://127.0.0.1:80/pandora/index.php?sec=incidencias&sec2=operation/incidents/incident_detail&insertar_nota=1&id=-x'->[SQL]

Errors:
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax 
to use near '' at line 1 ('UPDATE tincidencia SET id_lastupdate = 'demo' WHERE id_incidencia IN ()') 
in /var/www/pandora_console/include/functions_incidents.php on line 140




Fix or Patch
============
1.1a-b 
Restrict the input fields (;->"<'*",.[]) & format it with htmlspecialchars.

1.2 
Bind function with a session and ask when somebody wants to delete inserted or listed objects.

1.3
Restrict the filenames to get sure that no attacker can implement local .php from the app folders.

1.4
Customers can use prepared statements to fix that kind of vulnerability.



Security Risk
=============
1.1a
Attackers can manipulate the application requests with xss on client-side.
The risk is estimated as low.

1.1b
An attacker is able to get sessioninformation or include bad script routines with xss/csrf. 
The risk is estimated as Medium because of very evil server-side executions are possible.

1.2
Potencial attackers can delete via csrf attack all servers of list without any restriction control.
The risk is estimated as medium because of server-side execution methods to attack.

1.3
The function takes any inserted Filename and try to access it on the local system.
The risk of this vulnerability is estimated as medium.

1.4
Attacks can attack the application with a sql-injection over a not secured function.
The risk of the vulnerability is estimated as high.



Author
=======
The author & writer is part of the Global-Evolution Security Group.

~finalbeta & ~remove