* * * SECURITY UPDATE * * * MRLG-4.2.4 Released * * * (fwd)
John Payne
john at sackheads.org
Sat Mar 15 05:01:28 UTC 2003
Forwarded by request.
---------- Forwarded Message ----------
* * * SECURITY UPDATE FOR MULTI-ROUTER LOOKING GLASS * * *
A vulnerability has been discovered by the EnterZone staff in Multi-Router
Looking Glass versions 4.2.2 and 4.2.3.
Vulnerability:
If the MRLG admin has specified "$::output_before_menu = 1;" in mrlg.conf,
remote users are able execute MRLG commands on password (MRLG
password) protected routers that have been configured. This vulnerability
does not effect users who have not specified "$::output_before_menu =
1;" in mrlg.conf or MRLG versions prior to 4.2.2.
Fix:
Upgrade to MRLG-4.2.4, available for immediate download at:
ftp://ftp.enterzone.net/looking-glass/CURRENT/
Alternately, users running MRLG-4.2.3 may patch their MRLG to version
4.2.4 with the following patch:
*** index.cgi Wed Nov 27 01:23:57 2002
--- index.cgi.new Fri Mar 14 23:11:16 2003
*************** no warnings "once";
*** 8,10 ****
! $::Version='4.2.3 Beta (IPv6)';
--- 8,10 ----
! $::Version='4.2.4 Beta (IPv6)';
*************** set_router();
*** 150,154 ****
--- 150,162 ----
+ if ($::Form{'pass1'} eq $::Routers{$::Form{'router'}}{'pass'})
+ {
if ($::output_before_menu)
{
+ ## Set up which command is to be executed (and then execute it!)
set_command();
+ }
+ }
+ else
+ {
+ print "<font color=red><B>INVALID PASSWORD!</B></font><BR>";
}
---------- End Forwarded Message ----------
More information about the NANOG
mailing list