[24090] in bugtraq
Re: Mrtg Path Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (Dave Ahmad)
Mon Feb 4 15:44:10 2002
Date: Mon, 4 Feb 2002 10:56:28 -0700 (MST)
From: Dave Ahmad <da@securityfocus.com>
To: Barney Wolff <barney@databus.com>
Cc: Tamer Sahin <ts@securityoffice.net>, <bugtraq@securityfocus.com>
In-Reply-To: <20020204120559.A74220@tp.databus.com>
Message-ID: <Pine.LNX.4.43.0202041050560.18483-100000@mail.securityfocus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Barney,
You're correct.. 'mrtg.cgi' is not part of MRTG. It's from a completely
indepedent utility called 'mrtgconfig'. The project homepage is:
http://mrtgconfig.sourceforge.net/
The path disclosure issue (version 0.5.9):
[dma@victim mrtgconfig]$ /home/dma/mtrg/mrtgconfig/mrtg.cgi
(offline mode: enter name=value pairs on standard input)
cfg
Content-type: text/html
<H1>Software error:</H1>
<CODE>Can't open configuration file for mrtgconfig: No such file or
directory at /home/dma/mrtg/mrtgconfig/mrtg.cgi line 46,
<STDIN> chunk 1.
</CODE>
<P>
For help, please send mail to this site's webmaster, giving this error
message and the time and date of the error.
Dave Ahmad
SecurityFocus
www.securityfocus.com
On Mon, 4 Feb 2002, Barney Wolff wrote:
> Unless I'm terribly confused, mrtg only generates files and runs off
> cron, not as a cgi. So you're dealing with something other than mrtg
> itself. Also, the current version is 2.9.18pre1.
>
> Barney Wolff
>
> On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote:
> >
> > Summary:
> > If an attacker submits a web request containing unexpected arguments
> > for script variables, an error message will be displayed containing
> > the path to the webroot directory of the server running the Mrtg cgi
> > script.
> >
> > http://host/mrtg.cgi?cfg=blabla
> >
> > Tested:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > Vulnerable:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > And may be other.
>
