Skip to content

munin-cgi-graph CGI::param security problem #721

Closed
@sstj

Description

@sstj

Running munin-2.0.25 on Gentoo. I observed this message in the logs

2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404.

This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this:

&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

which wrote the graph to /tmp/test.txt

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions