[mrtg] directory traversal problems with 14all.cgi

Greg.Volk at edwardjones.com Greg.Volk at edwardjones.com
Wed Feb 6 17:28:34 MET 2002


A coworker of mine recently demonstrated to me that the way I
currently have 14all.cgi configured, it is vulnerable to a 
directory traversal attack. What he couldn't tell me, and I
couldn't figure out on my own, is how to remedy this problem.

The following line currently displays the first line of my
/etc/hosts to anyone who wants to know. Not a big deal, since
this is not a publically accessible server, but something I 
would like to fix nonetheless.

http://mrtgserver/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/hosts

My question is what can I do to fix this? 
Am I looking at an httpd misconfiguration? 
Incorrect permissions for user "nobody?"
A 14all misconfiguration?

Is anybody else having this problem?

I looked through the archives and ran several queries against
google looking for more info about this but didn't find anything.


--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the mrtg mailing list