[56785] in North American Network Operators' Group
* * * SECURITY UPDATE * * * MRLG-4.2.4 Released * * * (fwd)
daemon@ATHENA.MIT.EDU (John Payne)
Sat Mar 15 00:04:40 2003
Date: Sat, 15 Mar 2003 00:01:28 -0500
From: John Payne <john@sackheads.org>
To: nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
Forwarded by request.
---------- Forwarded Message ----------
* * * SECURITY UPDATE FOR MULTI-ROUTER LOOKING GLASS * * *
A vulnerability has been discovered by the EnterZone staff in Multi-Router
Looking Glass versions 4.2.2 and 4.2.3.
Vulnerability:
If the MRLG admin has specified "$::output_before_menu = 1;" in mrlg.conf,
remote users are able execute MRLG commands on password (MRLG
password) protected routers that have been configured. This vulnerability
does not effect users who have not specified "$::output_before_menu =
1;" in mrlg.conf or MRLG versions prior to 4.2.2.
Fix:
Upgrade to MRLG-4.2.4, available for immediate download at:
ftp://ftp.enterzone.net/looking-glass/CURRENT/
Alternately, users running MRLG-4.2.3 may patch their MRLG to version
4.2.4 with the following patch:
*** index.cgi Wed Nov 27 01:23:57 2002
--- index.cgi.new Fri Mar 14 23:11:16 2003
*************** no warnings "once";
*** 8,10 ****
! $::Version='4.2.3 Beta (IPv6)';
--- 8,10 ----
! $::Version='4.2.4 Beta (IPv6)';
*************** set_router();
*** 150,154 ****
--- 150,162 ----
+ if ($::Form{'pass1'} eq $::Routers{$::Form{'router'}}{'pass'})
+ {
if ($::output_before_menu)
{
+ ## Set up which command is to be executed (and then execute it!)
set_command();
+ }
+ }
+ else
+ {
+ print "<font color=red><B>INVALID PASSWORD!</B></font><BR>";
}
---------- End Forwarded Message ----------
