Unless I'm terribly confused, mrtg only generates files and runs off cron, not as a cgi. So you're dealing with something other than mrtg itself. Also, the current version is 2.9.18pre1. Barney Wolff On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote: > > Summary: > If an attacker submits a web request containing unexpected arguments > for script variables, an error message will be displayed containing > the path to the webroot directory of the server running the Mrtg cgi > script. > > http://host/mrtg.cgi?cfg=blabla > > Tested: > Mrtg v2.090011 > Mrtg v2.090006 > > Vulnerable: > Mrtg v2.090011 > Mrtg v2.090006 > > And may be other.
