Forwarded by request. ---------- Forwarded Message ---------- * * * SECURITY UPDATE FOR MULTI-ROUTER LOOKING GLASS * * * A vulnerability has been discovered by the EnterZone staff in Multi-Router Looking Glass versions 4.2.2 and 4.2.3. Vulnerability: If the MRLG admin has specified "$::output_before_menu = 1;" in mrlg.conf, remote users are able execute MRLG commands on password (MRLG password) protected routers that have been configured. This vulnerability does not effect users who have not specified "$::output_before_menu = 1;" in mrlg.conf or MRLG versions prior to 4.2.2. Fix: Upgrade to MRLG-4.2.4, available for immediate download at: ftp://ftp.enterzone.net/looking-glass/CURRENT/ Alternately, users running MRLG-4.2.3 may patch their MRLG to version 4.2.4 with the following patch: *** index.cgi Wed Nov 27 01:23:57 2002 --- index.cgi.new Fri Mar 14 23:11:16 2003 *************** no warnings "once"; *** 8,10 **** ! $::Version='4.2.3 Beta (IPv6)'; --- 8,10 ---- ! $::Version='4.2.4 Beta (IPv6)'; *************** set_router(); *** 150,154 **** --- 150,162 ---- + if ($::Form{'pass1'} eq $::Routers{$::Form{'router'}}{'pass'}) + { if ($::output_before_menu) { + ## Set up which command is to be executed (and then execute it!) set_command(); + } + } + else + { + print "<font color=red><B>INVALID PASSWORD!</B></font><BR>"; } ---------- End Forwarded Message ----------