Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

munin-cgi-graph CGI::param security problem #721

Closed
sstj opened this issue Jul 27, 2016 · 7 comments
Closed

munin-cgi-graph CGI::param security problem #721

sstj opened this issue Jul 27, 2016 · 7 comments

Comments

@sstj
Copy link
Contributor

sstj commented Jul 27, 2016

Running munin-2.0.25 on Gentoo. I observed this message in the logs

2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404.

This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this:

&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

which wrote the graph to /tmp/test.txt

@h01ger
Copy link
Contributor

h01ger commented Feb 21, 2017

https://bugs.debian.org/855705 has a patch for this issue.

@h01ger
Copy link
Contributor

h01ger commented Feb 21, 2017

Does this affect 2.0.6 too? And 2.999.6? (Enotime to check right now, but it would be good if someone did…)

@carnil
Copy link

carnil commented Feb 22, 2017

A CVE has been requested via https://cveform.mitre.org/

@carnil
Copy link

carnil commented Feb 22, 2017

This has been assigned CVE-2017-6188 by MITRE

@mejo-
Copy link

mejo- commented Feb 24, 2017

I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too.

The proposed patch by Tomaž Šolc from Debian Bugreport #855705 fixes this particular vulnerability.

@h01ger
Copy link
Contributor

h01ger commented Feb 24, 2017 via email

h01ger pushed a commit that referenced this issue Mar 1, 2017
As Tomaž Šolc <tomaz.solc@tablix.org> said :

	Munin package in Jessie has a local file write vulnerability when CGI graphs are
	enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
	file accessible to the www-data user.

And sstj <stevie.trujillo@gmail.com> said :

	Running munin-2.0.25 on Gentoo. I observed this message in the logs

	2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context
	from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to
	vulnerabilities. See the warning in "Fetching the value or values of a
	single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm
	line 404.

	This allows injecting options into munin-cgi-graph (similar to
	http://munin-monitoring.org/ticket/1238 ), by doing something like
	this:

	&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

	which wrote the graph to /tmp/test.txt

Closes: #721, D:855705, CVE-2017-6188
@sumpfralle
Copy link
Collaborator

This issue is fixed, or?

  • stable-2.0: 42ce18f
  • master: the relevant code was replaced before (according to Steve Schnepp in Debian #855705)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants