* * * SECURITY UPDATE * * * MRLG-4.2.4 Released * * * (fwd)

John Payne john at sackheads.org
Sat Mar 15 05:01:28 UTC 2003


Forwarded by request.

---------- Forwarded Message ----------

* * * SECURITY UPDATE FOR MULTI-ROUTER LOOKING GLASS * * *

A vulnerability has been discovered by the EnterZone staff in Multi-Router
Looking Glass versions 4.2.2 and 4.2.3.

Vulnerability:

If the MRLG admin has specified "$::output_before_menu = 1;" in mrlg.conf,
remote users are able execute MRLG commands on password (MRLG
password) protected routers that have been configured.  This vulnerability
does not effect users who have not specified "$::output_before_menu =
1;" in mrlg.conf or MRLG versions prior to 4.2.2.

Fix:

Upgrade to MRLG-4.2.4, available for immediate download at:

ftp://ftp.enterzone.net/looking-glass/CURRENT/


Alternately, users running MRLG-4.2.3 may patch their MRLG to version
4.2.4 with the following patch:



*** index.cgi   Wed Nov 27 01:23:57 2002
--- index.cgi.new       Fri Mar 14 23:11:16 2003
*************** no warnings "once";
*** 8,10 ****

! $::Version='4.2.3 Beta (IPv6)';

--- 8,10 ----

! $::Version='4.2.4 Beta (IPv6)';

*************** set_router();
*** 150,154 ****
--- 150,162 ----

+ if ($::Form{'pass1'} eq $::Routers{$::Form{'router'}}{'pass'})
+ {
  if ($::output_before_menu)
  {
+ ## Set up which command is to be executed (and then execute it!)
  set_command();
+ }
+ }
+ else
+ {
+ print "<font color=red><B>INVALID PASSWORD!</B></font><BR>";
  }





---------- End Forwarded Message ----------





More information about the NANOG mailing list