#1238 closed defect (fixed)

munin-cgi-graph: HTTP client can control @ARGV when used as a CGI script

Reported by: cnu Owned by: nobody
Priority: normal Milestone: Munin 2.0.0
Component: web-interface Version: devel
Severity: normal Keywords: security


When using munin-cgi-graph as a CGI script under Apache, one can specify a different config like this.
munin-cgi-graph will exit almost immediately because of has_offending_chars tho.

POST /cgi-bin/munin-cgi-graph/x.png?--config+/dev/stdin HTTP/1.1
Connection: close
Content-Length: 12

logdir /tmp

# cat /tmp/munin-cgi-graph.log
2012/07/04 18:03:57 Opened log file

Change History (3)

comment:1 Changed at 2012-07-04T21:51:29+02:00 by kenyon

  • Keywords security added

comment:2 Changed at 2012-08-14T20:50:23+02:00 by ze

Need to find a way to know if arguments are "bad arguments" provided by apache, or somehow provided by someone trying to spawn a cgi...

Currently launching :

sudo spawn-fcgi -F $MAX -s /var/run/munin/fcgi-graph.sock -U www-data \

-u $user -g $group -- /data/munin-dev/pkg/www/cgi/munin-cgi-graph --config=/some/other/path/munin.conf

If params get removed completly, we need a way to specify the config file in an other way...

comment:3 Changed at 2012-08-29T09:56:11+02:00 by snide

  • Milestone set to Munin 2.0
  • Resolution set to fixed
  • Status changed from new to closed

64dfec, db9ba4 & 980f5c5f are taking care of this.

Now env var MUNIN_CONFIG is used to specify an alternate munin.conf.

Note: See TracTickets for help on using tickets.