[UNIX] Rrdbrowse Arbitrary File Disclosure Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Rrdbrowse Arbitrary File Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.rrdbrowse.org> RRDBrowse is "a poller daemon, templater and
webinterface for RRDTool. It has a threaded daemon which periodically runs
from cron. It works with small .nfo files which hold router information
and optionally connection details, colors, min max, bandwidth settings,
etc, etc. RRDBrowse uses a small caching mechanism to store interface
names. It's much MRTG like in it's current state". Due to imporoper input
validation in rrdbrowser a remote attacker can cause the program to
include arbitrary files and display their content.

DETAILS

Vulnerable Systems:
* rrdbrowse version 1.6 and prior

Immune Systems:
* rrdbrowse version 1.7

Due to improper input validation, the CGI application "rrdbrowse" is
vulnerable to an arbitrary file disclosure vulnerability. It allows an
unauthenticated remote attacker to read any file on the remote system if
the user the webserver is running as has permissions to do so. Thus an
attacker is able to gain access potentially sensitive information.

Exploit:
The vulnerability is trivial to exploit and only requires specifying an
URL with a relative file path on the remote system such as
http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd

As the input to the "file" parameter is not validated in any way accessing
this URL will expose the contents of /etc/passwd to a remote attacker
(interestingly except the first line).

Workaround:
To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has
released an updated CVS version (1.7) of the software which is available
at <http://www.rrdbrowse.org> http://www.rrdbrowse.org. Hence all users
of rrdbrowse are asked to test and install this version as soon as
possible.

Disclosure Timeline:
06. February 2007 - Notified vendor
14. Feburary 2007 - Patch/new version released
04. March 2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:sebastian@xxxxxxxxxxxxxx>
Sebastian Wolfgarten.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection Vulnerability in 'shopsearch.asp' Script ... Exploitation of the vulnerability allows a remote attacker to insert a new ... S-Quadra alerted VP-ASP development team to this issue on 28th November ...
    (Securiteam)
  • [UNIX] MySQL MaxDB Web Agent Multiple DoS Vulnerabilities (sapdbwa_GetUserData)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MaxDB by MySQL is "a re-branded ... The second vulnerability is due to insufficient handling of malformed HTTP ... A remote attacker can submit a HTTP request with invalid headers ...
    (Securiteam)
  • [NEWS] ZPanel SQL Injection, Arbitrary File Inclusion and Brute Forcing
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In addition due to poor coding a remote attacker can easily brute ... Where http://evilhost/shell.php - evil PHP code script. ... Vulnerable code script: zpanel.php: ...
    (Securiteam)
  • [UNIX] Samba 3.x.x Wildcard Characters DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker could cause and smbd process to consume abnormal amounts ... In some circumstances the server can become entirely ... The Samba Team always encourages users to run the latest stable release as ...
    (Securiteam)
  • [EXPL] Webmin Usermin Arbitrary File Disclosure Vulnerability (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Webmin Usermin Arbitrary File Disclosure Vulnerability ... Webmin / Usermin Arbitrary File Disclosure Vulnerability ...
    (Securiteam)