-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 */This is Mrtg Web Frontend 14all.cgi bug. You may find the revised security announcement below/* Mrtg/RRD 14all.cgi Path Disclosure Vulnerability Type: Input Validation Error Release Date: February 4, 2002 Product / Vendor: 14all.cgi is a CGI script to create html pages and graphics for Mrtg. http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-rrd.html Summary: If an attacker submits a web request containing unexpected arguments for script variables, an error message will be displayed containing the path to the webroot directory of the server running the Mrtg/RRD 14all.cgi script. http://host/mrtg.cgi?cfg=blabla Tested: Mrtg/RRD 14all.cgi v1.1p15 Vulnerable: Mrtg/RRD 14all.cgi v1.1p15 And may be other. Demonstration: http://barnes.bloomu.edu/cgi-bin/mrtg.cgi?cfg=blabla Disclaimer: http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. Author: Tamer Sahin ts@securityoffice.net http://www.securityoffice.net Tamer Sahin http://www.securityoffice.net PGP Key ID: 0x2B5EDCB0 -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPGBc+buLpFMrXtywEQJRLACfQ6sMmsTi4fD3PG3p7AFDxmo3XogAnj58 fnyk5QpMwxQQ7WBFTQ/w+fj+ =rxm+ -----END PGP SIGNATURE-----
