Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Mrtg Path Disclosure Vulnerability
From: Dave Ahmad <da () securityfocus com>
Date: Mon, 4 Feb 2002 10:56:28 -0700 (MST)

Barney,

You're correct.. 'mrtg.cgi' is not part of MRTG.  It's from a completely
indepedent utility called 'mrtgconfig'.  The project homepage is:

http://mrtgconfig.sourceforge.net/

The path disclosure issue (version 0.5.9):

[dma () victim mrtgconfig]$ /home/dma/mtrg/mrtgconfig/mrtg.cgi
(offline mode: enter name=value pairs on standard input)
cfg
Content-type: text/html

<H1>Software error:</H1>
<CODE>Can't open configuration file for mrtgconfig: No such file or
directory at /home/dma/mrtg/mrtgconfig/mrtg.cgi line 46,
&lt;STDIN&gt; chunk 1.
</CODE>
<P>

For help, please send mail to this site's webmaster, giving this error
message and the time and date of the error.

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Mon, 4 Feb 2002, Barney Wolff wrote:

Unless I'm terribly confused, mrtg only generates files and runs off
cron, not as a cgi.  So you're dealing with something other than mrtg
itself.  Also, the current version is 2.9.18pre1.

Barney Wolff

On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote:

Summary:
If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg cgi
script.

http://host/mrtg.cgi?cfg=blabla

Tested:
Mrtg v2.090011
Mrtg v2.090006

Vulnerable:
Mrtg v2.090011
Mrtg v2.090006

And may be other.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault