Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add Xymon useradm Command Execution module #12041
Add Xymon useradm Command Execution exploit module.
@bcoles : I'm having trouble getting a test environment set up. I've got a local Ubuntu box where I manually installed 4.3.24 and I'm beating my head against getting the Apache config working. I'll keep digging, but right now, the provided Apache config directs me to the
In the meantime, I grabbed the VM (which comes with , but I'm getting 401 Authorization failed during the
As a quick sanity check, I used
What am I missing here?
Good luck with that. Unfortunately, installing isn't as simply as dumping the
Despite linking the installation instructions in the module documentation, I didn't use them. I used the VM for this PR, specifically so I didn't have to mess with Apache config and trying to get ~3 year old dependencies to play nice together.
I also verified the bug by reading the source and reviewing the patch diffs, to be sure that the VM was representative of reality. I also tested the module across subnets, in case there was IP whitelisting.
(For the other open Xymon module PR
The good news, if you wish to pursue the manual installation route, is that you can probably steal some Apache config from the VM, which might save some time.
I'm not sure. There's a few things going on here.
From what I remember, the exploit worked out of the box, once a user was added with
First, I'd check that the changes applied with
Next, is there a reason you've removed the comma from the end of line 106? That's kind of important.
I'd probably need to see your console output with
If you don't have any luck, let me know and I'll rebuild the Xymon VM and document step-by-step any changes I make.
Thanks @bcoles. Apologies for the delay, since I was out on holiday.
I borked the VM on my first try, probably poking around configs unnecessarily. It worked fine with a fresh VM, though. For anyone in the future, here are the environment setup steps. Frankly, they're dead simple and I don't know how it didn't work the first time.