High risk security bug in Proxmox VE 1.8?

lucaferr

Renowned Member
Jun 21, 2011
71
9
73
Ignore me, false alert

[NOTE: The following is a false alert, so don't care about it...It was an error of OpenVas obviously....I'm sorry!]

Hi All,
I set up a Proxmox VE 1.8 environment, all default, with Shorewall firewall configured.
Then I updated it all (apt-get update and apt-get upgrade) and I scanned it deeply with a dedicated machine running the latest version of Openvas (vulnerability scanner).
I found out a high risk bug (it already exists a public exploit and it appears to lead to execution of arbitrary code on host machine):

BUG NAME: PHPGenealogie 'CoupleDB.php' remote file inclusion vulnerability

BUG DETAILS:

Test ID:1.3.6.1.4.1.25623.1.0.801008
Category:Web application abuses
Title:PHPGenealogie 'CoupleDB.php' Remote File Inclusion Vulnerability
Summary:Check for the version and attack of PHPGenealogie
Description: Overview: This host is running PHPGenealogie and is prone to Remote File
Inclusion vulnerability.

Vulnerability Insight:
The flaw is due to error in 'DataDirectory' parameter in 'CoupleDB.php' which
is not properly verified before being used to include files.

Impact:
Successful exploitation will let the attacker to execute arbitrary code on
the vulnerable Web server.

Impact level: Application/System

Affected Software/OS:
PHPGenealogie version 2.0

Fix: No solution or patch is available as on 07th October, 2009. Information
regarding this issue will be updated once the solution details are available.
For updates refer, http://sourceforge.net/projects/phpgenealogie/files/

References:
http://www.milw0rm.com/exploits/9155
http://xforce.iss.net/xforce/xfdb/51728

CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:p/I:p/A:p)
CVSS Temporal Score : 6.7
Risk factor: High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-3541
http://www.milw0rm.com/exploits/9155
XForce ISS Database: phpgenealogy-datadirectory-file-include(51728)
http://xforce.iss.net/xforce/xfdb/51728
CopyrightCopyright (C) 2009 Greenbone Networks GmbH







Did you know about this bug?
Is this as dangerous as Openvas says?
Do you think we can fix it? That PHPGenealogie unfortunately doesn't seem to be updated anymore :(
Thank you!
 
Last edited:
There is no PHP installed on Proxmox VE and no PHPGenealogy. so I do not see how this applies to Proxmox VE.
 
Ahaha, I have no idea what the hell OpenVas found (he seemed to be very sure)...
I'm sorry, I'll check it now to understand why the hell he did say that...
 
hi could one please correct the subject of this thread in order to not get other sysadmin's heart to a sudden standstill for virtually nothing?
thanks, hk.
 
You're right, done! ;-)

EDIT: Oh, no, the main title is not changed...So I ask the admins to kindly do it (you can delete it!).... Sorry for all this mess, I'll check the accuracy of OpenVas results next time ;-)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!