Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129284 - net-analyzer/cacti includes vulnerable adodb (CVE-2006-{0146|0147|0410|0806})
Summary: net-analyzer/cacti includes vulnerable adodb (CVE-2006-{0146|0147|0410|0806})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.debian.org/security/2006/d...
Whiteboard: B1? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-08 14:33 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-04-14 13:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-08 14:33:16 UTC
Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2006-0146 
Andreas Sandblad discovered that improper user input sanitisation results in a potential remote SQL injection vulnerability enabling an attacker to compromise applications, access or modify data, or exploit vulnerabilities in the underlying database implementation. This requires the MySQL root password to be empty. It is fixed by limiting access to the script in question.

CVE-2006-0147 
A dynamic code evaluation vulnerability allows remote attackers to execute arbitrary PHP functions via the 'do' parameter.

CVE-2006-0410 
Andy Staudacher discovered an SQL injection vulnerability due to insufficient input sanitising that allows remote attackers to execute arbitrary SQL commands.

CVE-2006-0806 
GulfTech Security Research discovered multiple cross-site scripting vulnerabilities due to improper user-supplied input sanitisation. Attackers can exploit these vulnerabilities to cause arbitrary scripts to be executed in the browser of an unsuspecting user's machine, or result in the theft of cookie-based authentication credentials.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-04-09 09:40:40 UTC
Hi Lance, this might need a bump, please advise.
Comment 2 Lance Albertson (RETIRED) gentoo-dev 2006-04-09 14:45:05 UTC
I just sent an email to the upstream developer I've delt with directly. Hopefully I'll get an answer soon concerning this issue.
Comment 3 Lance Albertson (RETIRED) gentoo-dev 2006-04-09 20:24:18 UTC
I've got an update on the issue. Below is exerpts from the email I recieved from the developers of cacti:

---

Tony,

The current 0.8.6h release should not be susceptible to this vulnerability. We removed the following files from the distribution based upon the original advisory [0].

lib/adodb/pivottable.inc.php
lib/adodb/rsfilter.inc.php
lib/adodb/server.php

Also, see commit #3496.

Ian

[0] http://secunia.com/advisories/17418/ 

----

Lance Albertson wrote:
> What about the releases prior to 0.8.6h? I still have 0.8.6g in our
> package repository and would need to remove it if that is possibly
> vulnerable. Thanks for the quick reply!

Yes, versions prior to 0.8.6h are still vulnerable.

Ian

----

x86 should be fine, but it looks like alpha and sparc have yet to mark a 0.8.6h version as stable. Its your call on what we should do.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-09 21:45:46 UTC
At least adodb-pager.inc.php is still included in a version from adodb-4.71 or lower which is not fixed for CVE-2006-0806. 

So unless this is not exploitable in the cacti context at least the XSS vulnerability remains.

Maybe I missed something, Lance could you take a second look?
Comment 5 Lance Albertson (RETIRED) gentoo-dev 2006-04-09 22:28:31 UTC
I just got a reply from Ian Berry and it seems he may have missed that one. I've sent him the full text from the first comment in this bug in case he missed seeing that. The initial reaction was for us to create a revision that removed that file. I'm waiting to hear back from him to find out if that will definately work or not.
Comment 6 Ian Berry 2006-04-10 17:29:48 UTC
I have removed the adodb-pager.inc.php file and confirmed that it does not affect Cacti's operation. This will be included in the next release, 0.8.6i. For now, I recommend that you push a new revision of the 0.8.6h ebuild that takes care of deleting this file.
Comment 7 Lance Albertson (RETIRED) gentoo-dev 2006-04-10 18:10:16 UTC
Thanks for commenting on the bug Ian. I've committed cacti-0.8.6h_p20060108-r2 into portage which will remove that file. I haven't marked it stable yet. Let me know when you want me to do that.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-10 23:29:34 UTC
Please test and mark stable.
Comment 9 Chris Gianelloni (RETIRED) gentoo-dev 2006-04-11 13:06:29 UTC
I've done x86 since I use this daily on several boxes.  The changes seem fine and hasn't adversely affected my install.
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-04-11 16:06:42 UTC
Seems to work fine on alpha.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2006-04-12 19:40:40 UTC
SPARC'd
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-12 23:13:58 UTC
Thx, this one is ready for GLSA.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-04-14 13:35:36 UTC
GLSA 200604-07