Peoples I've discovered a directory traversal vulnerability in the svcstatus.c file, allowing a remote attacker to view any file on the filesystem that's visible to the web server user. When viewing a specific historical entry, and then setting the parameter for TIMEBUF to "../../../..(etc)/path/to/file" you get to view the file. For example: http://somesite.com/xymon-cgi/historylog.sh?HOST=somehost&SERVICE=conn&TIMEB... Here's a patch to prevent it: ---- web/svcstatus.c.orig 2011-05-06 12:12:45.000000000 +1000 +++ web/svcstatus.c 2011-05-06 13:20:47.000000000 +1000 @@ -83,6 +83,12 @@ else if (strcasecmp(cwalk->name, "TIMEBUF") == 0) { /* Only for the historical logs */ tstamp = strdup(cwalk->value); + char *p = basename(tstamp); + /* Sanity check timestamp to avoid dir traversal attacks */ + if (strcmp(p,tstamp) != 0) { + errormsg("Invalid time specification\n"); + return 1; + }; } else if (strcasecmp(cwalk->name, "CLIENT") == 0) { char *p; I'm not a C coder, so there's an excellent chance someone else can come up with a better patch. It would be nice to log an error into the web server log, but it doesn't work for me, and I'm guessing the xymon CGI process closes stderr when it starts up or something like that. Cheers Jeremy