Re: Mrtg Path Disclosure Vulnerability

[Dave Ahmad <da () securityfocus com>]

Barney,

You're correct.. 'mrtg.cgi' is not part of MRTG.  It's from a completely
indepedent utility called 'mrtgconfig'.  The project homepage is:

http://mrtgconfig.sourceforge.net/

The path disclosure issue (version 0.5.9):

[dma@victim mrtgconfig]$ /home/dma/mtrg/mrtgconfig/mrtg.cgi
(offline mode: enter name=value pairs on standard input)
cfg
Content-type: text/html

<H1>Software error:</H1>
<CODE>Can't open configuration file for mrtgconfig: No such file or
directory at /home/dma/mrtg/mrtgconfig/mrtg.cgi line 46,
&lt;STDIN&gt; chunk 1.
</CODE>
<P>

For help, please send mail to this site's webmaster, giving this error
message and the time and date of the error.

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Mon, 4 Feb 2002, Barney Wolff wrote:

> Unless I'm terribly confused, mrtg only generates files and runs off
> cron, not as a cgi.  So you're dealing with something other than mrtg
> itself.  Also, the current version is 2.9.18pre1.
>
> Barney Wolff
>
> On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote:
> > Summary:
> > If an attacker submits a web request containing unexpected arguments
> > for script variables, an error message will be displayed containing
> > the path to the webroot directory of the server running the Mrtg cgi
> > script.
> >
> > http://host/mrtg.cgi?cfg=blabla
> >
> > Tested:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > Vulnerable:
> > Mrtg v2.090011
> > Mrtg v2.090006
> >
> > And may be other.