MRTG CGI Arbitrary File Display Vulnerability

[Homer]

Multi Router Traffic Grapher (MRTG) CGI scripts (current version is 2.9.17) allow display of arbitrary files from the host machine. This can be accomplished by specifying a relative path and file name in a query string passed to the scripts via a properly constructed URL. The scripts reported to be vulnerable include mrtg.cgi, traffic.cgi, 14all-1.1.cgi, and 14all.cgi. An example URL is: http://somehost/mrtg.cgi?cfg=../../../../../../../../etc/passwd. All affected scripts are reportedly exploited with the same query string. (ie, the "cfg=" variable).