[Secure-testing-team] Bug#855705: munin-cgi-graph local file write vulnerability
Tomaž Šolc
tomaz.solc at tablix.org
Tue Feb 21 13:42:26 UTC 2017
Package: munin
Version: 2.0.25-1
Severity: grave
Tags: security patch
Justification: user security hole
Dear Maintainers,
Munin package in Jessie has a local file write vulnerability when CGI graphs are
enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to the www-data user.
This was originally reported on GitHub by sstj here:
https://github.com/munin-monitoring/munin/issues/721
For example, requesting an URL like the following will create "/tmp/test":
http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test
Attached is a simple patch that fixes the problem.
Best regards
Tomaž
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-fix-parameter-injection.patch
Type: text/x-diff
Size: 1062 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170221/e20201cb/attachment.patch>
More information about the Secure-testing-team
mailing list