[Secure-testing-team] Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)
Helmut Grohne
helmut at subdivi.de
Thu Jul 26 13:30:11 UTC 2012
Package: munin
Version: 2.0.2-1
Severity: grave
Tags: security
Justification: user security hole
The default apache configuration shipped and automatically enabled by
munin is insecure, because it includes an authentication bypass. The
config intends to restrict access to the graphs to localhost:
| <Directory /var/cache/munin/www>
| Order allow,deny
| Allow from localhost 127.0.0.0/8 ::1
| ....
Unfortunately this restriction does not apply to scripts like
/usr/lib/cgi-bin/munin-cgi-graph or
| ScriptAlias /munin-cgi /usr/lib/cgi-bin/munin-cgi-html
So just by going http://$IP/munin-cgi you get to know what you need
(some paths may be wrong) and you can look at graphs by going to for
example
http://$IP/cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/processes-day.png.
This works with a freshly installed munin, munin-node, apache2 without
any further configuration.
Note that removing /etc/apache2/conf.d/munin is *not* a workaround for
this issue, because /cgi-bin/munin-cgi-graph still works.
This issue is related to #649520.
Helmut
More information about the Secure-testing-team
mailing list