Forwarded by request.
---------- Forwarded Message ----------
* * * SECURITY UPDATE FOR MULTI-ROUTER LOOKING GLASS * * *
A vulnerability has been discovered by the EnterZone staff in Multi-Router Looking Glass versions 4.2.2 and 4.2.3.
Vulnerability:
If the MRLG admin has specified "$::output_before_menu = 1;" in mrlg.conf, remote users are able execute MRLG commands on password (MRLG password) protected routers that have been configured. This vulnerability does not effect users who have not specified "$::output_before_menu = 1;" in mrlg.conf or MRLG versions prior to 4.2.2.
Fix:
Upgrade to MRLG-4.2.4, available for immediate download at:
ftp://ftp.enterzone.net/looking-glass/CURRENT/
Alternately, users running MRLG-4.2.3 may patch their MRLG to version 4.2.4 with the following patch:
*** index.cgi Wed Nov 27 01:23:57 2002 --- index.cgi.new Fri Mar 14 23:11:16 2003 *************** no warnings "once"; *** 8,10 ****
! $::Version='4.2.3 Beta (IPv6)';
--- 8,10 ----
! $::Version='4.2.4 Beta (IPv6)';
*************** set_router(); *** 150,154 **** --- 150,162 ----
+ if ($::Form{'pass1'} eq $::Routers{$::Form{'router'}}{'pass'})
+ {
if ($::output_before_menu)
{
+ ## Set up which command is to be executed (and then execute it!)
set_command();
+ }
+ }
+ else
+ {
+ print "<font color=red><B>INVALID PASSWORD!</B></font><BR>";
}---------- End Forwarded Message ----------
