Helmut Grohne
2012-Jul-26 13:30 UTC
[Secure-testing-team] Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)
Package: munin Version: 2.0.2-1 Severity: grave Tags: security Justification: user security hole The default apache configuration shipped and automatically enabled by munin is insecure, because it includes an authentication bypass. The config intends to restrict access to the graphs to localhost: | <Directory /var/cache/munin/www> | Order allow,deny | Allow from localhost 127.0.0.0/8 ::1 | .... Unfortunately this restriction does not apply to scripts like /usr/lib/cgi-bin/munin-cgi-graph or | ScriptAlias /munin-cgi /usr/lib/cgi-bin/munin-cgi-html So just by going http://$IP/munin-cgi you get to know what you need (some paths may be wrong) and you can look at graphs by going to for example http://$IP/cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/processes-day.png. This works with a freshly installed munin, munin-node, apache2 without any further configuration. Note that removing /etc/apache2/conf.d/munin is *not* a workaround for this issue, because /cgi-bin/munin-cgi-graph still works. This issue is related to #649520. Helmut