Pandora FMS Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Pandora FMS versions through 7.0NG. This vulnerability arises in the net_tools.php functionality, where authenticated users can execute arbitrary operating system commands by exploiting the select_ips parameter during network tools operations, such as pinging. The issue stems from inadequate input sanitization, which allows for command injection.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary commands on the server operating system, potentially leading to unauthorized access or modification of system files and processes.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'index.php' file within the 'pandora_console' directory. The request must include a 'select_ips' parameter with the crafted command, along with 'operation', 'community', and 'submit' parameters. The command will be executed on the server, and the response can be captured to verify successful exploitation.