Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 324031 - <net-analyzer/cacti-0.8.7g: Multiple vulnerabilities (CVE-2010-{1644,1645,2092,2543,2544,2545})
Summary: <net-analyzer/cacti-0.8.7g: Multiple vulnerabilities (CVE-2010-{1644,1645,209...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.cacti.net/changelog.php
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-14 22:28 UTC by Matthias Geerdsen (RETIRED)
Modified: 2014-01-21 19:30 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:28:28 UTC
CVE-2010-2092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2092):
  SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier
  allows remote attackers to execute arbitrary SQL commands via the
  rra_id parameter in a GET request in conjunction with a valid rra_id
  value in a POST request or a cookie, which bypasses the validation
  routine.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-01 20:06:02 UTC
CVE-2010-1644 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1644):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti before
  0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution
  and other products, allow remote attackers to inject arbitrary web
  script or HTML via the (1) hostname or (2) description parameter to
  host.php, or (3) the host_id parameter to data_sources.php.

CVE-2010-1645 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1645):
  Cacti before 0.8.7f, as used in Red Hat High Performance Computing
  (HPC) Solution and other products, allows remote authenticated
  administrators to execute arbitrary commands via shell metacharacters
  in (1) the FQDN field of a Device or (2) the Vertical Label field of
  a Graph Template.

CVE-2010-2543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2543):
  Cross-site scripting (XSS) vulnerability in
  include/top_graph_header.php in Cacti before 0.8.7g allows remote
  attackers to inject arbitrary web script or HTML via the graph_start
  parameter to graph.php.  NOTE: this vulnerability exists because of
  an incorrect fix for CVE-2009-4032.2.b.

CVE-2010-2544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2544):
  Cross-site scripting (XSS) vulnerability in utilities.php in Cacti
  before 0.8.7g, as used in Red Hat High Performance Computing (HPC)
  Solution and other products, allows remote attackers to inject
  arbitrary web script or HTML via the filter parameter.

CVE-2010-2545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2545):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti before
  0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution
  and other products, allow remote attackers to inject arbitrary web
  script or HTML via (1) the name element in an XML template to
  templates_import.php; and allow remote authenticated administrators
  to inject arbitrary web script or HTML via vectors related to (2)
  cdef.php, (3) data_input.php, (4) data_queries.php, (5)
  data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8)
  graph.php, (9) graphs_new.php, (10) graphs.php, (11)
  graph_templates_inputs.php, (12) graph_templates_items.php, (13)
  graph_templates.php, (14) graph_view.php, (15) host.php, (16)
  host_templates.php, (17) lib/functions.php, (18) lib/html_form.php,
  (19) lib/html_form_template.php, (20) lib/html.php, (21)
  lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and
  (25) user_admin.php.

Comment 2 Peter Volkov (RETIRED) gentoo-dev 2010-11-15 15:40:10 UTC
0.8.7g is in the tree. Arch teams, please, stabilize.

Target keywords.
net-analyzer/cacti-0.8.7g: alpha amd64 hppa ppc ppc64 sparc x86
net-analyzer/cacti-spine-0.8.7g: amd64 ppc ppc64 sparc x86
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2010-11-16 16:49:36 UTC
x86 done.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-11-17 22:19:09 UTC
amd64 done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-19 18:03:52 UTC
Stable for HPPA PPC.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-11-20 12:21:12 UTC
alpha/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-12-20 15:14:39 UTC
ppc64 done
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-12-20 17:56:53 UTC
Thanks, everyone. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:30:03 UTC
This issue was resolved and addressed in
 GLSA 201401-20 at http://security.gentoo.org/glsa/glsa-201401-20.xml
by GLSA coordinator Sean Amoss (ackle).