New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
munin-cgi-graph CGI::param security problem #721
Comments
|
https://bugs.debian.org/855705 has a patch for this issue. |
|
Does this affect 2.0.6 too? And 2.999.6? (Enotime to check right now, but it would be good if someone did…) |
|
A CVE has been requested via https://cveform.mitre.org/ |
|
This has been assigned CVE-2017-6188 by MITRE |
|
I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too. The proposed patch by Tomaž Šolc from Debian Bugreport #855705 fixes this particular vulnerability. |
|
control: found -1 2.0.6-4+deb7u2
control: tags -1 pending
thanks
On Fri, Feb 24, 2017 at 01:37:55AM -0800, mejo- wrote:
I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too.
The proposed patch by Tomaž Šolc from [Debian Bugreport #855705](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5) fixes this particular vulnerability.
thanks, mejo, for confirming this both!
…--
cheers,
Holger
|
As Tomaž Šolc <tomaz.solc@tablix.org> said : Munin package in Jessie has a local file write vulnerability when CGI graphs are enabled. Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to the www-data user. And sstj <stevie.trujillo@gmail.com> said : Running munin-2.0.25 on Gentoo. I observed this message in the logs 2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404. This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this: &upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt which wrote the graph to /tmp/test.txt Closes: #721, D:855705, CVE-2017-6188
|
This issue is fixed, or?
|
Running munin-2.0.25 on Gentoo. I observed this message in the logs
2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404.
This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this:
&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt
which wrote the graph to /tmp/test.txt
The text was updated successfully, but these errors were encountered: