Vulnerabilities > CVE-2009-0667 - Unspecified vulnerability in Ocsinventory-Ng OCS Inventory NG and Ocsinventory-Agent

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Untrusted search path vulnerability in Agent/Backend.pm in Ocsinventory-Agent before 0.0.9.3, and 1.x before 1.0.1, in OCS Inventory allows local users to gain privileges via a Trojan horse Perl module in an arbitrary directory.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-16314.NASL
    description - security update for CVE-2009-0667 http://bugs.debian.org/590879 http://www.debian.org/security/2009/dsa-1828 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50397
    published2010-10-29
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50397
    titleFedora 14 : ocsinventory-agent-1.1.2.1-1.fc14 (2010-16314)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2010-16314.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50397);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:32");
    
      script_bugtraq_id(35593);
      script_xref(name:"DSA", value:"1828");
      script_xref(name:"FEDORA", value:"2010-16314");
    
      script_name(english:"Fedora 14 : ocsinventory-agent-1.1.2.1-1.fc14 (2010-16314)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - security update for CVE-2009-0667
        http://bugs.debian.org/590879
        http://www.debian.org/security/2009/dsa-1828
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://bugs.debian.org/590879
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590879"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2010-October/049983.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ff792590"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ocsinventory-agent package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ocsinventory-agent");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC14", reference:"ocsinventory-agent-1.1.2.1-1.fc14")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ocsinventory-agent");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1828.NASL
    descriptionIt was discovered that the ocsinventory-agent which is part of the ocsinventory suite, a hardware and software configuration indexing service, is prone to an insecure perl module search path. As the agent is started via cron and the current directory (/ in this case) is included in the default perl module path the agent scans every directory on the system for its perl modules. This enables an attacker to execute arbitrary code via a crafted ocsinventory-agent perl module placed on the system. The oldstable distribution (etch) does not contain ocsinventory-agent.
    last seen2020-06-01
    modified2020-06-02
    plugin id44693
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44693
    titleDebian DSA-1828-1 : ocsinventory-agent - insecure module search path
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1828. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44693);
      script_version("1.9");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2009-0667");
      script_xref(name:"DSA", value:"1828");
    
      script_name(english:"Debian DSA-1828-1 : ocsinventory-agent - insecure module search path");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the ocsinventory-agent which is part of the
    ocsinventory suite, a hardware and software configuration indexing
    service, is prone to an insecure perl module search path. As the agent
    is started via cron and the current directory (/ in this case) is
    included in the default perl module path the agent scans every
    directory on the system for its perl modules. This enables an attacker
    to execute arbitrary code via a crafted ocsinventory-agent perl module
    placed on the system.
    
    The oldstable distribution (etch) does not contain ocsinventory-agent."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1828"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the ocsinventory-agent packages.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1:0.0.9.2repack1-4lenny1."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ocsinventory-agent");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"ocsinventory-agent", reference:"1:0.0.9.2repack1-4lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-16334.NASL
    description - security update for CVE-2009-0667 http://bugs.debian.org/590879 http://www.debian.org/security/2009/dsa-1828 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50310
    published2010-10-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50310
    titleFedora 12 : ocsinventory-agent-1.1.2.1-1.fc12 (2010-16334)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2010-16334.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50310);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:32");
    
      script_bugtraq_id(35593);
      script_xref(name:"DSA", value:"1828");
      script_xref(name:"FEDORA", value:"2010-16334");
    
      script_name(english:"Fedora 12 : ocsinventory-agent-1.1.2.1-1.fc12 (2010-16334)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - security update for CVE-2009-0667
        http://bugs.debian.org/590879
        http://www.debian.org/security/2009/dsa-1828
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://bugs.debian.org/590879
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590879"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2010-October/049731.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7004f384"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ocsinventory-agent package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ocsinventory-agent");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:12");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^12([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 12.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC12", reference:"ocsinventory-agent-1.1.2.1-1.fc12")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ocsinventory-agent");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-16335.NASL
    description - security update for CVE-2009-0667 http://bugs.debian.org/590879 http://www.debian.org/security/2009/dsa-1828 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50311
    published2010-10-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50311
    titleFedora 13 : ocsinventory-agent-1.1.2.1-1.fc13 (2010-16335)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2010-16335.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50311);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:32");
    
      script_bugtraq_id(35593);
      script_xref(name:"DSA", value:"1828");
      script_xref(name:"FEDORA", value:"2010-16335");
    
      script_name(english:"Fedora 13 : ocsinventory-agent-1.1.2.1-1.fc13 (2010-16335)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - security update for CVE-2009-0667
        http://bugs.debian.org/590879
        http://www.debian.org/security/2009/dsa-1828
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://bugs.debian.org/590879
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590879"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2010-October/049719.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8639b845"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ocsinventory-agent package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ocsinventory-agent");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:13");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^13([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 13.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC13", reference:"ocsinventory-agent-1.1.2.1-1.fc13")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ocsinventory-agent");
    }
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 35593 CVE(CAN) ID: CVE-2009-0667 OCS Inventory NG(Open Computer and Software Inventory Next Generation)是一款系统管理软件,能帮助管理员掌握计算机软件安装和配置,在HTTP代理和服务器之间实现低网络流量通讯。 OCS Inventory套件中的代理组件没有安全地处理Perl模块搜索路径。在通过cron启动代理且默认的Perl模块路径中包含有当前目录的情况下,代理会在系统上的每个目录中扫描Perl模块。以下是Agent/Backend.pm中所执行的代码: foreach my $d (@INC) { next unless -d $d; File::Find::find( sub { push @installed_mod, $File::Find::name if $File::Find::name =~ /Ocsinventory\/Agent\/Backend\/.*\.pm$/; } , $d); } 由于@INC中包含有“.”,这实际会导致从$pwd扫描所有的子目录。 如果攻击者在系统中放置了特制的ocsinventory-agent perl模块,在扫描到该模块时就会导致执行任意代码。 OCS Inventory NG 1.00 厂商补丁: Debian ------ Debian已经为此发布了一个安全公告(DSA-1828-1)以及相应补丁: DSA-1828-1:New ocsinventory-agent packages fix arbitrary code execution 链接:http://www.debian.org/security/2009/dsa-1828 补丁下载: Source archives: http://security.debian.org/pool/updates/main/o/ocsinventory-agent/ocsinventory-agent_0.0.9.2repack1-4lenny1.dsc Size/MD5 checksum: 1334 cf43f5ea659d2ec4d4b854953e8c18c6 http://security.debian.org/pool/updates/main/o/ocsinventory-agent/ocsinventory-agent_0.0.9.2repack1.orig.tar.gz Size/MD5 checksum: 207786 ce09d43d41596641dbb1bd66dc4f2b62 http://security.debian.org/pool/updates/main/o/ocsinventory-agent/ocsinventory-agent_0.0.9.2repack1-4lenny1.diff.gz Size/MD5 checksum: 12171 d718e83817905e2e22edcfa25fa863b4 Architecture independent packages: http://security.debian.org/pool/updates/main/o/ocsinventory-agent/ocsinventory-agent_0.0.9.2repack1-4lenny1_all.deb Size/MD5 checksum: 83362 1d103ed0bb2520dfb3fc8b430ae30a6c 补丁安装方法: 1. 手工安装补丁包: 首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址) 然后,使用下面的命令来安装补丁: # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包: 首先,使用下面的命令更新内部数据库: # apt-get update 然后,使用下面的命令安装更新软件包: # apt-get upgrade
idSSV:11771
last seen2017-11-19
modified2009-07-09
published2009-07-09
reporterRoot
titleOCS Inventory NG代理Backend.pm Perl模块处理代码执行漏洞