[24083] in bugtraq
Re: Mrtg Path Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (Barney Wolff)
Mon Feb 4 13:29:16 2002
Date: Mon, 4 Feb 2002 12:05:59 -0500
From: Barney Wolff <barney@databus.com>
To: Tamer Sahin <ts@securityoffice.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20020204120559.A74220@tp.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000e01c1ad11$8849c5f0$d5fb83d9@ts>; from ts@securityoffice.net on Mon, Feb 04, 2002 at 02:18:54AM +0200
Unless I'm terribly confused, mrtg only generates files and runs off
cron, not as a cgi. So you're dealing with something other than mrtg
itself. Also, the current version is 2.9.18pre1.
Barney Wolff
On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote:
>
> Summary:
> If an attacker submits a web request containing unexpected arguments
> for script variables, an error message will be displayed containing
> the path to the webroot directory of the server running the Mrtg cgi
> script.
>
> http://host/mrtg.cgi?cfg=blabla
>
> Tested:
> Mrtg v2.090011
> Mrtg v2.090006
>
> Vulnerable:
> Mrtg v2.090011
> Mrtg v2.090006
>
> And may be other.
