[From nobody Tue Feb 13 04:52:03 2007 Return-Path: <cyrus@fezzik> Received: from fezzik ([unix socket]) (authenticated user=mailinglists bits=0) by fezzik (Cyrus v2.1.18-IPv6-Debian-2.1.18-1) with LMTP; Sun, 11 Feb 2007 18:32:58 +0200 X-Sieve: CMU Sieve 2.2 Return-Path: <full-disclosure-bounces@lists.grok.org.uk> Received: from houseofcards.securiteam.com (securiteam.com [192.117.232.213]) by fezzik.beyondsecurity.com (Postfix) with SMTP id 9029A208108 for <bugtraq@mail.beyondsecurity.com>; Sun, 11 Feb 2007 18:32:29 +0200 (IST) Received: (qmail 13664 invoked by uid 501); 11 Feb 2007 16:55:48 -0000 Delivered-To: aviram-beyondsecurity-bugtraq@beyondsecurity.com Received: (qmail 13659 invoked from network); 11 Feb 2007 16:55:48 -0000 Received: from lists.grok.org.uk (195.184.125.51) by 0 with SMTP; 11 Feb 2007 16:55:48 -0000 Received: from lists.grok.org.uk (localhost [127.0.0.1]) by lists.grok.org.uk (Postfix) with ESMTP id BB9793F3; Sun, 11 Feb 2007 16:19:51 +0000 (GMT) X-Original-To: full-disclosure@lists.grok.org.uk Delivered-To: full-disclosure@lists.grok.org.uk Received-SPF: none (lists.grok.org.uk: domain of sebastian@wolfgarten.com does not designate permitted sender hosts) Received: from tiefenrausch.wolfgarten.com (tiefenrausch.wolfgarten.com [213.133.109.150]) by lists.grok.org.uk (Postfix) with ESMTP id 2416628A for <full-disclosure@lists.grok.org.uk>; Sun, 11 Feb 2007 16:19:38 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by tiefenrausch.wolfgarten.com (Postfix) with ESMTP id D1CBB1B410A; Sun, 11 Feb 2007 17:16:50 +0100 (CET) X-Virus-Scanned: amavisd-new at wolfgarten.com Received: from tiefenrausch.wolfgarten.com ([127.0.0.1]) by localhost (tiefenrausch.wolfgarten.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWBvERg8K7AW; Sun, 11 Feb 2007 17:16:42 +0100 (CET) Received: from [192.168.2.21] (pD9E87AA2.dip.t-dialin.net [217.232.122.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tiefenrausch.wolfgarten.com (Postfix) with ESMTP id 6C8A81B4085; Sun, 11 Feb 2007 17:16:42 +0100 (CET) Message-ID: <45CF41FD.6050306@wolfgarten.com> Date: Sun, 11 Feb 2007 17:19:09 +0100 From: Sebastian Wolfgarten <sebastian@wolfgarten.com> User-Agent: Thunderbird 1.5.0.9 (X11/20070123) MIME-Version: 1.0 To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com X-Enigmail-Version: 0.94.1.2 OpenPGP: id=6D51CDAF Subject: [Full-disclosure] Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 (prb) X-BeenThere: full-disclosure@lists.grok.org.uk Precedence: list List-Id: An unmoderated mailing list for the discussion of security issues <full-disclosure.lists.grok.org.uk> List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request@lists.grok.org.uk?subject=unsubscribe> List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> List-Post: <mailto:full-disclosure@lists.grok.org.uk> List-Help: <mailto:full-disclosure-request@lists.grok.org.uk?subject=help> List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request@lists.grok.org.uk?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: full-disclosure-bounces@lists.grok.org.uk Errors-To: full-disclosure-bounces@lists.grok.org.uk X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on fezzik X-Spam-Level: X-Spam-Status: No, score=-1.7 required=6.0 tests=BAYES_00,SPF_FAIL autolearn=ham version=3.0.3 X-UID: 24650 X-Length: 6042 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I - TITLE Security advisory: Arbitrary file disclosure vulnerability in php rrd browser (prb) II - SUMMARY Description: Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), http://www.devtarget.org Date: February 11th, 2007 Severity: Medium References: http://www.devtarget.org/prb-advisory-02-2007.txt III - OVERVIEW Quote from sourceforge.net: "Prb stands for php rrd browser, inspired by rrdbrowse and cacti. A modular framework for creating rrd databases, updating and graphing data, based on apache, php, mysql and rrdtool. It will allow you to graph just about anything you like". More information about the product can be found online at http://prb.sourceforge.net. IV - DETAILS Due to inproper input validation, the web application "php rrd browser" (versions <0.2.1) is vulnerable to an arbitrary file disclosure vulnerability. It allows an unauthenticated remote attacker to read any file on the remote system if the user the webserver is running as has permissions to do so. Thus an attacker is able to gain access potentially sensitive information. V - EXPLOIT CODE The vulnerability is trivial to exploit and only requires specifying an URL with a relative file path on the remote system such as http://$target/prb/www/?p=../../../../../../../etc/passwd As the input to the "p" parameter is not validated in any way accessing this URL will expose the contents of /etc/passwd to a remote attacker. VI - WORKAROUND/FIX To address this problem, the author of prb (Guillaume Fontaine) has released an updated version (0.2.1) of the software which is available at http://prb.sourceforge.net. Hence all users of prb are asked to test and install this version as soon as possible. VII - DISCLOSURE TIMELINE 07. February 2007 - Notified vendor 10. Feburary 2007 - Patch released 11. February 2007 - Public disclosure -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFz0H9d8QFWG1Rza8RAncSAJwMe7l768sWSruW8xsHHexUD1vTYwCgoSnA xP1J4Bg/qIlNr//YkVbPMhY= =i7Q0 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ]