exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rrdbrowse-advisory-03-2007.txt

rrdbrowse-advisory-03-2007.txt
Posted Mar 8, 2007
Authored by Sebastian Wolfgarten | Site devtarget.org

rrdbrowse versions 1.6 and below suffer from an arbitrary file disclosure vulnerability.

tags | exploit, arbitrary
SHA-256 | cca8d4336f4a7dd8d011665d3a65fb9d0b0656fdacef8ac9fe5e6dff2d1478e9

rrdbrowse-advisory-03-2007.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I - TITLE

Security advisory: Arbitrary file disclosure vulnerability in
rrdbrowse

II - SUMMARY

Description: Arbitrary file disclosure vulnerability in
rrdbrowse <= 1.6

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: March 4th, 2007

Severity: Medium

References: http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt

III - OVERVIEW

Quote from rrdbrowse.org: "RRDBrowse is a poller daemon, templater and
webinterface for RRDTool. It has a threaded daemon which periodically
runs from cron. It works with small .nfo files which hold router
information and optionally connection details, colors, min max,
bandwidth settings, etc, etc. RRDBrowse uses a small caching mechanism
to store interface names. It's much MRTG like in it's current state".
More information about the product can be found online at
http://www.rrdbrowse.org.

IV - DETAILS

Due to inproper input validation, the CGI application "rrdbrowse"
(versions <=1.6) is vulnerable to an arbitrary file disclosure
vulnerability. It allows an unauthenticated remote attacker to read any
file on the remote system if the user the webserver is running as has
permissions to do so. Thus an attacker is able to gain access
potentially sensitive information.

V - EXPLOIT CODE

The vulnerability is trivial to exploit and only requires specifying an
URL with a relative file path on the remote system such as

http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd

As the input to the "file" parameter is not validated in any way
accessing this URL will expose the contents of /etc/passwd to a remote
attacker (interestingly except the first line).

VI - WORKAROUND/FIX

To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has
released an updated CVS version (1.7) of the software which is available
at http://www.rrdbrowse.org. Hence all users of rrdbrowse are asked to
test and install this version as soon as possible.

VII - DISCLOSURE TIMELINE

06. February 2007 - Notified vendor
14. Feburary 2007 - Patch/new version released
04. March 2007 - Public disclosure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF6x+Gd8QFWG1Rza8RAl6FAKCw6la8aVEeWRjqQrodHDUDAl3vtgCgwmam
X8HoWAJAhG3FlWeOebHRCTY=
=ifKG
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close