First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 199509
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Peter Volkov <pva@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 199509 depends on: Show dependency tree
Bug 199509 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-18 10:53 0000 
cacti all versions <=0.8.7 seems to be vulnerable to Command Execution and SQL
Injection.

Initially reported here: http://forums.cacti.net/viewtopic.php?t=18846
upstream bug report here: http://bugs.cacti.net/view.php?id=883

This is  Highly critical issue (Secunia rated), I'm going to bump fixed ebuild
in a moment. Stay tuned...

------- Comment #1 From Peter Volkov 2007-11-18 10:56:57 0000 ------- 
Workaround seems to exist (not tested by me, but seems correct):

https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/78453
=================================================
This is quite easy to work around. Add the following lines to
/etc/cacti/apache.conf:

        <Files cmd.php>
                Deny from All
        </Files>
        <Files poller.php>
                Deny from All
        </Files>
=================================================

------- Comment #2 From Peter Volkov 2007-11-18 12:17:25 0000 ------- 
Err. That links are completely wrong and security implication is small. It's
only know that some security patches an fixed version were issued:
http://forums.cacti.net/viewtopic.php?t=24367 In attempts to gather information
I mixed version numbers. Sorry for that. In any case ebuild for this unknow
issue will be available very soon.

------- Comment #3 From Robert Buchholz 2007-11-18 12:21:46 0000 ------- 
We (you :-) handled the issue from the links above at bug 159278.

Can you point me to the patch or commit that fixed this sql injection?

------- Comment #4 From Peter Volkov 2007-11-18 13:41:59 0000 ------- 
Robert, that was my fault. I'm sorry for bug spam and disinformation. See my
comment #2. The story is that today I've received announcement about new cacti
release - security release. I tried to find out what was fixed there and how it
could be exploited. During search I've missed date and mixed that old issue
handled in bug 159278 and the new one. 

I've failed failed to find any relevant information about this new "possible
SQL injection" issue and upstream bug report mentioned in commit message
http://svn.cacti.net/cgi-bin/viewvc.cgi?view=rev&revision=4289 seems to be
closed for reading. So sorry I do not have more details then it is in
announcement message (see URI).

In any case, I think it's worth to fix this possible injection. The latest
release and fix for branch 0.8.6j are in portage. I do not want to stabilize
0.8.7 branch now as I want to do that together with cactid which currently have
known issues (BTW, new cactid called spine has same issues too).

So I'd asked arch teams to stabilize 0.8.6j-r7. If security team agrees with
me, please, add arch teams to this bug:
alpha@gentoo.org,amd64@gentoo.org,ppc@gentoo.org,ppc64@gentoo.org,sparc@gentoo.org,x86@gentoo.org

------- Comment #5 From Robert Buchholz 2007-11-18 14:51:10 0000 ------- 
Thanks. I guess we'll hear more about this soon.

------- Comment #6 From Tony Roman 2007-11-18 17:44:26 0000 ------- 
This security issue is present in Cacti 0.8.7 and 0.8.6j.  Patches are
available for both version.  Cacti 0.8.7a does not have this issue.

Patches: http://www.cacti.net/download_patches.php

The following is an explanation of the security issue:
-----------------------------------------------------------
/cacti/graph.php?local_graph_id=-1+union+select+1,2,3,password+from+user_auth+where+id=1/*

When ran a Validation Error is produced but it also prints the crypted admin
password:

Graphs -> Preview Mode -> fcd382fMYCRYPTEDPASSWORS322fj
-----------------------------------------------------------

All comments about cmd.php and poller.php are old issues that have been
resolved.

------- Comment #7 From Robert Buchholz 2007-11-18 18:27:35 0000 ------- 
Thanks for the explanation, Tony. Did you or the person who discovered this
already request a CVE name for it?

------- Comment #8 From Tomas Hoger 2007-11-20 12:06:41 0000 ------- 
(In reply to comment #7)
> Thanks for the explanation, Tony. Did you or the person who discovered this
> already request a CVE name for it?

CVE-2007-6035 was assigned to this.

------- Comment #9 From Robert Buchholz 2007-11-20 15:15:46 0000 ------- 
Thanks for requesting, Tomas.

------- Comment #10 From Chris Gianelloni (RETIRED) 2007-11-21 19:42:36 0000 ------- 
amd64 done...

------- Comment #11 From Robert Buchholz 2007-11-21 20:13:43 0000 ------- 
Since questions arose, please stabilize 0.8.6j-r7.

------- Comment #12 From Christian Faulhammer 2007-11-22 08:03:49 0000 ------- 
x86 stable

------- Comment #13 From Raúl Porcel 2007-11-22 17:03:55 0000 ------- 
alpha/sparc stable

------- Comment #14 From Markus Rothe 2007-11-23 20:55:46 0000 ------- 
ppc64 stable

------- Comment #15 From Brent Baude 2007-11-24 04:39:08 0000 ------- 
ppc stable

------- Comment #16 From Robert Buchholz 2007-11-26 02:01:00 0000 ------- 
Vote is open, I vote YES.

------- Comment #17 From Peter Volkov 2007-11-26 07:48:35 0000 ------- 
I vote yes too.

------- Comment #18 From Pierre-Yves Rofes 2007-12-02 22:34:35 0000 ------- 
request filed.

------- Comment #19 From Pierre-Yves Rofes 2007-12-05 23:00:49 0000 ------- 
GLSA 200712-02
First Last Prev Next    No search results available      Search page      Enter new bug