tags 668536 + upstream
thanks
Hi Helmut,
many thanks for filing this bug report!
On Donnerstag, 12. April 2012, Helmut Grohne wrote:
> /usr/lib/cgi-bin/munin-cgi-graph uses predictable filenames in /tmp
> which might allow privilege escalation to www-data or denial of serving
> graphs. The filenames always start with /tmp/munin-cgi-graph/.
doh. To be clear: The path always start with /tmp/munin-cgi-graph/ and then
it's fully and easily predictable:
the relevant code from master/_bin/munin-cgi-graph.in:
sub get_picture_filename {
[...]
my $cgi_tmp_dir = $config->{cgitmpdir} || "/tmp/munin-cgi-tmp";
[...]
return "$cgi_tmp_dir/$domain/$name/$service-$scale.png" . $params;
cheers,
Holger
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
