Barney, You're correct.. 'mrtg.cgi' is not part of MRTG. It's from a completely indepedent utility called 'mrtgconfig'. The project homepage is: http://mrtgconfig.sourceforge.net/ The path disclosure issue (version 0.5.9): [dma@victim mrtgconfig]$ /home/dma/mtrg/mrtgconfig/mrtg.cgi (offline mode: enter name=value pairs on standard input) cfg Content-type: text/html <H1>Software error:</H1> <CODE>Can't open configuration file for mrtgconfig: No such file or directory at /home/dma/mrtg/mrtgconfig/mrtg.cgi line 46, <STDIN> chunk 1. </CODE> <P> For help, please send mail to this site's webmaster, giving this error message and the time and date of the error. Dave Ahmad SecurityFocus www.securityfocus.com On Mon, 4 Feb 2002, Barney Wolff wrote: > Unless I'm terribly confused, mrtg only generates files and runs off > cron, not as a cgi. So you're dealing with something other than mrtg > itself. Also, the current version is 2.9.18pre1. > > Barney Wolff > > On Mon, Feb 04, 2002 at 02:18:54AM +0200, Tamer Sahin wrote: > > > > Summary: > > If an attacker submits a web request containing unexpected arguments > > for script variables, an error message will be displayed containing > > the path to the webroot directory of the server running the Mrtg cgi > > script. > > > > http://host/mrtg.cgi?cfg=blabla > > > > Tested: > > Mrtg v2.090011 > > Mrtg v2.090006 > > > > Vulnerable: > > Mrtg v2.090011 > > Mrtg v2.090006 > > > > And may be other. >
