[mrtg] MRTG Vulnerabilityfrom bugtraq
CARL.P.HIRSCH at sargentlundy.com
CARL.P.HIRSCH at sargentlundy.com
Mon Feb 4 17:48:19 MET 2002
Not that this is so serious, but it's already garnered mention on
Securityfocus.com
-carl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mrtg Path Disclosure Vulnerability
Type:
Input Validation Error
Release Date:
February 4, 2002
Product / Vendor:
The Multi Router Traffic Grapher (Mrtg) is a tool to monitor the
traffic load on network-links. Mrtg generates html pages containing
gif images which provide a live visual representation of this
traffic.
http://www.mrtg.org
Summary:
If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg cgi
script.
http://host/mrtg.cgi?cfg=blabla
Tested:
Mrtg v2.090011
Mrtg v2.090006
Vulnerable:
Mrtg v2.090011
Mrtg v2.090006
And may be other.
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts at securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPF3TbLuLpFMrXtywEQIU5QCghYmngYvhwveU+8W3JwTz5QtsmU0AoJZD
Tbl6HDhKVnFPEy1DSB3/q3AH
=+kUc
-----END PGP SIGNATURE-----
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list