Join GitHub today
munin-cgi-graph CGI::param security problem #721
Running munin-2.0.25 on Gentoo. I observed this message in the logs
2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404.
This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this:
which wrote the graph to /tmp/test.txt
control: found -1 2.0.6-4+deb7u2 control: tags -1 pending thanks
On Fri, Feb 24, 2017 at 01:37:55AM -0800, mejo- wrote: I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too. The proposed patch by Tomaž Šolc from [Debian Bugreport #855705](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5) fixes this particular vulnerability.
thanks, mejo, for confirming this both!…
-- cheers, Holger