The default configuration of Pandora FMS 3.1 and previous versions specifies an empty string for the loginhash_pwd field, which allows remote malicious users to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
artica pandora fms 3.1 |
||
artica pandora fms 3.0 |
||
artica pandora fms 2.0 |
||
artica pandora fms 2.1.1 |
||
artica pandora fms 1.3.1 |
||
artica pandora fms 1.3 |
||
artica pandora fms 2.1 |
||
artica pandora fms 1.2 |
||
artica pandora fms |