[rrd-users] "vulnerabilities" in MRTG-related CGI scripts

Dave Plonka plonka at doit.wisc.edu
Mon Feb 4 19:31:09 MET 2002

[I haven't posted this to the MRTG list since I'm not on it...]

FYI, below I've included three "vulnerability" announcements regarding
MRTG and MRTG-related CGI scripts.  These announcements were recently
posted to the very-popular, very-public "bugtraq" mailing list.

Regarding their validity, I tested an old "14all.cgi" script that I
have verified that it was possible to cause it to expose the first line
of public files, such as "/etc/passwd".  (Whether or not you wish to
consider that a vulnerability is up to you.)

FWIW, my suggestion is to do one of the following if you are running
*any* common/popular CGI scripts that are not meant to be accessible to
the general public:

 1) For private web servers (i.e. those not meant to be used by the
    general public), implement a firewall policy to prevent HTTP
    connections from arbitrary hosts.

 2) For public web servers, use your web server software's
    authentication features to restrict access to the CGI scripts.

 3) For public web servers on which CGI scripts are meant to be used
    only by those with explicit knowledge of them, give your CGI scripts
    unusual names, so that someone probing for them by their default
    names are unlikely to find them.

Lastly, please keep in mind that I did not report these vulnerabilities
nor would I have done so without posting workarounds or fixes), I'm
just forwarding them to folks that might be interested.  If you have
meaningful follow-ups please consider posting them to "bugtraq".
If you're not familiar with "bugtraq" here's the FAQ:



P.S. Normally you can view the bugtraq archive here:


but it currently seems out of date (so these new messages doen't show
up there yet, although I have received them from the mailing list).

----- Forwarded message from UkR-XblP? <cuctema at ok.ru> -----

From: "UkR-XblP?" <cuctema at ok.ru>
Subject: new advisory
To: BUGTRAQ at securityfocus.com
X-Mailer: CommuniGate Pro Web Mailer v.3.5.2
Date: Sat, 02 Feb 2002 04:47:29 +0300

                    ---=== UkR Security Team advisory 
Name          : MRTG CGI script "show files" Vulnerability
About         : The Multi Router Traffic Grapher (MRTG) is 
a tool to monitor the traffic
                 load on network-links. MRTG generates 
HTML pages containing GIF
                 images which provide a LIVE visual 
representation of this traffic
Product vendor: MRTG / http://www.mrtg.org
Problem       : Problem lyes in incorrect validation of 
user submitted
                 -by-browser information, that can show 
first string of any file of the
                 system where script installed. 
Workaround    : this will help in somewhat : $input =~ 
Author        : UkR-XblP / UkR security team
Exploit       : 
Professional hosting for everyone - http://www.host.ru

----- End forwarded message -----

----- Forwarded message from Tamer Sahin <ts at securityoffice.net> -----

From: "Tamer Sahin" <ts at securityoffice.net>
To: <bugtraq at securityfocus.com>
Subject: Mrtg Path Disclosure Vulnerability
Date: Mon, 4 Feb 2002 02:18:54 +0200
Organization: http://www.securityoffice.net

Hash: SHA1

Mrtg Path Disclosure Vulnerability

Input Validation Error

Release Date:
February 4, 2002

Product / Vendor:
The Multi Router Traffic Grapher (Mrtg) is a tool to monitor the
traffic load on network-links. Mrtg generates html pages containing
gif images which provide a live visual representation of this


If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the Mrtg cgi


Mrtg v2.090011
Mrtg v2.090006

Mrtg v2.090011
Mrtg v2.090006

And may be other.

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Tamer Sahin
ts at securityoffice.net

Tamer Sahin
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

Version: PGP 7.1


----- End forwarded message -----

----- Forwarded message from sj at datanet.hu -----

Date: Mon, 4 Feb 2002 12:05:47 +0100 (CET)
From: sj at datanet.hu
To: bugtraq at securityfocus.com
Subject: RE: new advisory

I think some filtering after the line '$q = new CGI;' would help a little


my $SECMSG = 'Pliz dont hekk us\n";

if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');

if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; }

you could also check the ownership of $cfgfile and deny opening
root (and maybe other) owned files.

>>Exploit :


----- End forwarded message -----

plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI

Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:rrd-users-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/rrd-users
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the rrd-users mailing list