Opened 11 months ago
Closed 9 months ago
#1238 closed defect (fixed)
munin-cgi-graph: HTTP client can control @ARGV when used as a CGI script
| Reported by: | cnu | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | Munin 2.0.0 |
| Component: | web-interface | Version: | devel |
| Severity: | normal | Keywords: | security |
| Cc: |
Description
When using munin-cgi-graph as a CGI script under Apache, one can specify a different config like this.
munin-cgi-graph will exit almost immediately because of has_offending_chars tho.
POST /cgi-bin/munin-cgi-graph/x.png?--config+/dev/stdin HTTP/1.1 Connection: close Content-Length: 12 logdir /tmp
# cat /tmp/munin-cgi-graph.log
2012/07/04 18:03:57 Opened log file
Change History (3)
comment:1 Changed 11 months ago by kenyon
- Keywords security added
comment:2 Changed 9 months ago by ze
comment:3 Changed 9 months ago by snide
- Milestone set to Munin 2.0
- Resolution set to fixed
- Status changed from new to closed
64dfec, db9ba4 & 980f5c5f are taking care of this.
Now env var MUNIN_CONFIG is used to specify an alternate munin.conf.
Note: See
TracTickets for help on using
tickets.
Need to find a way to know if arguments are "bad arguments" provided by apache, or somehow provided by someone trying to spawn a cgi...
Currently launching :
sudo spawn-fcgi -F $MAX -s /var/run/munin/fcgi-graph.sock -U www-data \
If params get removed completly, we need a way to specify the config file in an other way...