CVE-2018-11222 Scanner

Pandora FMS is an open-source monitoring system for IT infrastructure management. Versions ≤ 7.0NG.722 suffer from a critical Remote Code Execution (RCE) vulnerability that can be exploited without authentication by chaining two separate flaws: unrestricted file upload (CVE-2018-11221) and a local file inclusion vulnerability (CVE-2018-11222).

The attacker can upload a specially crafted ZIP file containing a malicious PHP file via the plugin upload endpoint: /pandora_console/ajax.php?page=include/ajax/update_manager.ajax&upload_file=true. The upload process allows unvalidated file types. The LFI flaw is then used to include and execute the uploaded PHP file via: /pandora_console/ajax.php?page=[path]/plugin/phpinfo.

This results in full server compromise, allowing the attacker to execute arbitrary PHP code with web server privileges. The vulnerability chain has been publicly documented and remains exploitable in unpatched versions.

Impact:

• Full remote code execution
• No authentication required
• Persistent server compromise

REFERENCES

• https://blog.hackercat.ninja/post/pandoras_box/
• https://github.com/pandorafms/pandorafms
• https://nvd.nist.gov/vuln/detail/CVE-2018-11222