RRDBrowse <= 1.6 Remote Arbitrary File Disclosure Vulnerability

                                                I - TITLE

Security advisory: Arbitrary file disclosure vulnerability in
rrdbrowse

II - SUMMARY

Description: Arbitrary file disclosure vulnerability in
rrdbrowse&nbsp;<=&nbsp;1.6

Author:&nbsp;Sebastian&nbsp;Wolfgarten&nbsp;(sebastian&nbsp;at&nbsp;wolfgarten&nbsp;dot&nbsp;com),
http://www.devtarget.org

Date:&nbsp;March&nbsp;4th,&nbsp;2007

Severity:&nbsp;Medium

References:&nbsp;http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt

III&nbsp;-&nbsp;OVERVIEW

Quote&nbsp;from&nbsp;rrdbrowse.org:&nbsp;\"RRDBrowse&nbsp;is&nbsp;a&nbsp;poller&nbsp;daemon,&nbsp;templater&nbsp;and
webinterface&nbsp;for&nbsp;RRDTool.&nbsp;It&nbsp;has&nbsp;a&nbsp;threaded&nbsp;daemon&nbsp;which&nbsp;periodically
runs&nbsp;from&nbsp;cron.&nbsp;It&nbsp;works&nbsp;with&nbsp;small&nbsp;.nfo&nbsp;files&nbsp;which&nbsp;hold&nbsp;router
information&nbsp;and&nbsp;optionally&nbsp;connection&nbsp;details,&nbsp;colors,&nbsp;min&nbsp;max,
bandwidth&nbsp;settings,&nbsp;etc,&nbsp;etc.&nbsp;RRDBrowse&nbsp;uses&nbsp;a&nbsp;small&nbsp;caching&nbsp;mechanism
to&nbsp;store&nbsp;interface&nbsp;names.&nbsp;It\'s&nbsp;much&nbsp;MRTG&nbsp;like&nbsp;in&nbsp;it\'s&nbsp;current&nbsp;state\".
More&nbsp;information&nbsp;about&nbsp;the&nbsp;product&nbsp;can&nbsp;be&nbsp;found&nbsp;online&nbsp;at
http://www.rrdbrowse.org.

IV&nbsp;-&nbsp;DETAILS

Due&nbsp;to&nbsp;inproper&nbsp;input&nbsp;validation,&nbsp;the&nbsp;CGI&nbsp;application&nbsp;\"rrdbrowse\"
(versions&nbsp;<=1.6)&nbsp;is&nbsp;vulnerable&nbsp;to&nbsp;an&nbsp;arbitrary&nbsp;file&nbsp;disclosure
vulnerability.&nbsp;It&nbsp;allows&nbsp;an&nbsp;unauthenticated&nbsp;remote&nbsp;attacker&nbsp;to&nbsp;read&nbsp;any
file&nbsp;on&nbsp;the&nbsp;remote&nbsp;system&nbsp;if&nbsp;the&nbsp;user&nbsp;the&nbsp;webserver&nbsp;is&nbsp;running&nbsp;as&nbsp;has
permissions&nbsp;to&nbsp;do&nbsp;so.&nbsp;Thus&nbsp;an&nbsp;attacker&nbsp;is&nbsp;able&nbsp;to&nbsp;gain&nbsp;access
potentially&nbsp;sensitive&nbsp;information.

V&nbsp;-&nbsp;EXPLOIT&nbsp;CODE

The&nbsp;vulnerability&nbsp;is&nbsp;trivial&nbsp;to&nbsp;exploit&nbsp;and&nbsp;only&nbsp;requires&nbsp;specifying&nbsp;an
URL&nbsp;with&nbsp;a&nbsp;relative&nbsp;file&nbsp;path&nbsp;on&nbsp;the&nbsp;remote&nbsp;system&nbsp;such&nbsp;as

http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd

As&nbsp;the&nbsp;input&nbsp;to&nbsp;the&nbsp;\"file\"&nbsp;parameter&nbsp;is&nbsp;not&nbsp;validated&nbsp;in&nbsp;any&nbsp;way
accessing&nbsp;this&nbsp;URL&nbsp;will&nbsp;expose&nbsp;the&nbsp;contents&nbsp;of&nbsp;/etc/passwd&nbsp;to&nbsp;a&nbsp;remote
attacker&nbsp;(interestingly&nbsp;except&nbsp;the&nbsp;first&nbsp;line).

VI&nbsp;-&nbsp;WORKAROUND/FIX

To&nbsp;address&nbsp;this&nbsp;problem,&nbsp;the&nbsp;author&nbsp;of&nbsp;rrdbrowse&nbsp;(Tommy&nbsp;van&nbsp;Leeuwen)&nbsp;has
released&nbsp;an&nbsp;updated&nbsp;CVS&nbsp;version&nbsp;(1.7)&nbsp;of&nbsp;the&nbsp;software&nbsp;which&nbsp;is&nbsp;available
at&nbsp;http://www.rrdbrowse.org.&nbsp;Hence&nbsp;all&nbsp;users&nbsp;of&nbsp;rrdbrowse&nbsp;are&nbsp;asked&nbsp;to
test&nbsp;and&nbsp;install&nbsp;this&nbsp;version&nbsp;as&nbsp;soon&nbsp;as&nbsp;possible.

VII&nbsp;-&nbsp;DISCLOSURE&nbsp;TIMELINE

06.&nbsp;February&nbsp;2007&nbsp;-&nbsp;Notified&nbsp;vendor
14.&nbsp;Feburary&nbsp;2007&nbsp;-&nbsp;Patch/new&nbsp;version&nbsp;released
04.&nbsp;March&nbsp;2007&nbsp;-&nbsp;Public&nbsp;disclosure

&nbsp;