New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

munin-cgi-graph CGI::param security problem #721

Closed
sstj opened this Issue Jul 27, 2016 · 7 comments

Comments

Projects
None yet
6 participants
@sstj
Contributor

sstj commented Jul 27, 2016

Running munin-2.0.25 on Gentoo. I observed this message in the logs

2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404.

This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this:

&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

which wrote the graph to /tmp/test.txt

@h01ger

This comment has been minimized.

Show comment
Hide comment
@h01ger

h01ger Feb 21, 2017

Contributor

https://bugs.debian.org/855705 has a patch for this issue.

Contributor

h01ger commented Feb 21, 2017

https://bugs.debian.org/855705 has a patch for this issue.

@h01ger

This comment has been minimized.

Show comment
Hide comment
@h01ger

h01ger Feb 21, 2017

Contributor

Does this affect 2.0.6 too? And 2.999.6? (Enotime to check right now, but it would be good if someone did…)

Contributor

h01ger commented Feb 21, 2017

Does this affect 2.0.6 too? And 2.999.6? (Enotime to check right now, but it would be good if someone did…)

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Feb 22, 2017

A CVE has been requested via https://cveform.mitre.org/

carnil commented Feb 22, 2017

A CVE has been requested via https://cveform.mitre.org/

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Feb 22, 2017

This has been assigned CVE-2017-6188 by MITRE

carnil commented Feb 22, 2017

This has been assigned CVE-2017-6188 by MITRE

@mejo-

This comment has been minimized.

Show comment
Hide comment
@mejo-

mejo- Feb 24, 2017

I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too.

The proposed patch by Tomaž Šolc from Debian Bugreport #855705 fixes this particular vulnerability.

mejo- commented Feb 24, 2017

I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too.

The proposed patch by Tomaž Šolc from Debian Bugreport #855705 fixes this particular vulnerability.

@h01ger

This comment has been minimized.

Show comment
Hide comment
@h01ger

h01ger Feb 24, 2017

Contributor
Contributor

h01ger commented Feb 24, 2017

h01ger added a commit that referenced this issue Mar 1, 2017

Fix wrong parameter expansion in CGI
As Tomaž Šolc <tomaz.solc@tablix.org> said :

	Munin package in Jessie has a local file write vulnerability when CGI graphs are
	enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
	file accessible to the www-data user.

And sstj <stevie.trujillo@gmail.com> said :

	Running munin-2.0.25 on Gentoo. I observed this message in the logs

	2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context
	from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to
	vulnerabilities. See the warning in "Fetching the value or values of a
	single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm
	line 404.

	This allows injecting options into munin-cgi-graph (similar to
	http://munin-monitoring.org/ticket/1238 ), by doing something like
	this:

	&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

	which wrote the graph to /tmp/test.txt

Closes: #721, D:855705, CVE-2017-6188

@ndowens ndowens referenced this issue Mar 21, 2017

Merged

munin: 2.0.30 -> 2.0.33; for CVE-2017-6188 #24182

3 of 7 tasks complete
@sumpfralle

This comment has been minimized.

Show comment
Hide comment
@sumpfralle

sumpfralle Feb 21, 2018

Collaborator

This issue is fixed, or?

  • stable-2.0: 42ce18f
  • master: the relevant code was replaced before (according to Steve Schnepp in Debian #855705)
Collaborator

sumpfralle commented Feb 21, 2018

This issue is fixed, or?

  • stable-2.0: 42ce18f
  • master: the relevant code was replaced before (according to Steve Schnepp in Debian #855705)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment