Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 60630 - net-analyzer/cacti SQL injection that allows bypass auth.
Summary: net-analyzer/cacti SQL injection that allows bypass auth.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-16 21:21 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-16 21:21:22 UTC
From FD:

a) Full path disclosure 
 
In several parts of the code when anyone try to open files in 
 directories who do not appear at first like: include, 
 lib, scripts, etc. an error appears allowing to see the route him where 
 is installed the program.

<snip>

b) SQL injection and bypass the authentication. 
 
Injection of code is possible in the index.php file to pass auth.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-16 21:26:38 UTC
Netmon will you please verify that we are vulnerable and patch if needed.

http://cvs.raxnet.net/cgi-bin/viewcvs.cgi/cacti/auth_login.php
Comment 2 Eldad Zack (RETIRED) gentoo-dev 2004-08-17 02:30:35 UTC
yep.
I'll prepare a patch for it.
Comment 3 Eldad Zack (RETIRED) gentoo-dev 2004-08-17 02:56:14 UTC
0.8.5a-r1 in portage, stable on x86.


Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-17 05:39:04 UTC
Security please draft GLSA
Comment 5 solar (RETIRED) gentoo-dev 2004-08-17 05:51:28 UTC
It should be noted that you _MUST_ back up a copy of your include/config.php 
before merging cacti or you will lose your database settings and cacti will have 
to be reconfigured.

cp /var/www/localhost/htdocs/cacti/include/config.php ~
emerge '>=net-analyzer/cacti-0.8.5a-r1'
cp ~/config.php /var/www/localhost/htdocs/cacti/include/config.php
Comment 6 Eldad Zack (RETIRED) gentoo-dev 2004-08-17 07:33:32 UTC
Hmm. I moved config.php to config-sample.php. that should handle that.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-18 10:48:40 UTC
magic_quotes_gpc is on by default so this is not that big an issue.

Security please vote about GLSA publication.
Comment 8 solar (RETIRED) gentoo-dev 2004-08-18 22:36:53 UTC
Revision 1.49 / (view) - annotate - [select for diffs] , Wed Jul 21 05:30:27 2004 UTC (4 weeks, 1 day ago) by iberry
Branch: MAIN
CVS Tags: HEAD
Changes since 1.48: +7 -10 lines
Diff to previous 1.48

remove security hazard

------------------------------
I vote yes.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-19 01:04:47 UTC
GLSA drafted. Security please review.

This patch does not seem to solve the full path disclosure problem.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 06:38:01 UTC
Path issue was not fixed but most web-apps suffer the same issue.

GLSA 200408-21