MRTG mrtg.cgi cfg Parameter Traversal Arbitrary Files Access

medium Nessus Plugin ID 11001

Synopsis

The remote web server hosts a CGI script that is prone to a directory traversal attack.

Description

The 'mrtg.cgi' script is part of the MRTG traffic visualization application. A vulnerability exists in this script that allows an attacker to view the first line of any file on the system.

Solution

Block access to this CGI.

Plugin Details

Severity: Medium

ID: 11001

File Name: DDI_MRTG_File_Read.nasl

Version: 1.28

Type: remote

Family: CGI abuses

Published: 6/5/2002

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2/1/2002

Reference Information

CVE: CVE-2002-0232

BID: 4017