Rule:

--
Sid:
1862

--
Summary:
This event is generated when an attempt is made to exploit a flaw on a 
server running mrtg.

--
Impact:
Medium

--
Detailed Information:
MRTG is a graphing program, typically used for displaying statistics 
about network devices such as routers and switches. The mrtg.cgi script 
is vulnerable to an attack that can display the first line of any file 
on the system.

--
Affected Systems:
	Hosts running MRTG

--
Attack Scenarios:
An attacker can use the mrtg.cgi program to view the first line of any 
file.

By carfting a url like so 
"http://target/mrtg.cgi?cfg=/../../../../../../../../../path/to/file", 
a user is able to view the specified file.

--
Ease of Attack:
Simple.

--
False Positives: 
None known.

--
False Negatives: 
None known.

--
Corrective Action:
Disallow access to the mrtg.cgi program from external sources.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com> 
Snort documentation contributed by Josh Sakofsky

-- 
Additional References:

Nessus:
http://cgi.nessus.org/plugins/dump.php3?id=11001
