vendor:
rrdbrowse
by:
Sebastian Wolfgarten
5.5
CVSS
MEDIUM
Arbitrary file disclosure
CWE
Product Name: rrdbrowse
Affected Version From: <=1.6
Affected Version To:
Patch Exists: YES
Related CWE:
CPE:
Platforms Tested:
2007
Arbitrary file disclosure vulnerability in rrdbrowse
Due to inproper input validation, the CGI application 'rrdbrowse' (versions <=1.6) is vulnerable to an arbitrary file disclosure vulnerability. It allows an unauthenticated remote attacker to read any file on the remote system if the user the webserver is running as has permissions to do so. Thus an attacker is able to gain access potentially sensitive information. The vulnerability is trivial to exploit and only requires specifying an URL with a relative file path on the remote system.
Mitigation:
To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has released an updated CVS version (1.7) of the software which is available at http://www.rrdbrowse.org. Hence all users of rrdbrowse are asked to test and install this version as soon as possible.