Several vulnerabilities have been discovered in libphp-adodb, the 'adodb' database abstraction layer for PHP, which is embedded in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-0146 Andreas Sandblad discovered that improper user input sanitisation results in a potential remote SQL injection vulnerability enabling an attacker to compromise applications, access or modify data, or exploit vulnerabilities in the underlying database implementation. This requires the MySQL root password to be empty. It is fixed by limiting access to the script in question. CVE-2006-0147 A dynamic code evaluation vulnerability allows remote attackers to execute arbitrary PHP functions via the 'do' parameter. CVE-2006-0410 Andy Staudacher discovered an SQL injection vulnerability due to insufficient input sanitising that allows remote attackers to execute arbitrary SQL commands. CVE-2006-0806 GulfTech Security Research discovered multiple cross-site scripting vulnerabilities due to improper user-supplied input sanitisation. Attackers can exploit these vulnerabilities to cause arbitrary scripts to be executed in the browser of an unsuspecting user's machine, or result in the theft of cookie-based authentication credentials.
Hi Lance, this might need a bump, please advise.
I just sent an email to the upstream developer I've delt with directly. Hopefully I'll get an answer soon concerning this issue.
I've got an update on the issue. Below is exerpts from the email I recieved from the developers of cacti: --- Tony, The current 0.8.6h release should not be susceptible to this vulnerability. We removed the following files from the distribution based upon the original advisory [0]. lib/adodb/pivottable.inc.php lib/adodb/rsfilter.inc.php lib/adodb/server.php Also, see commit #3496. Ian [0] http://secunia.com/advisories/17418/ ---- Lance Albertson wrote: > What about the releases prior to 0.8.6h? I still have 0.8.6g in our > package repository and would need to remove it if that is possibly > vulnerable. Thanks for the quick reply! Yes, versions prior to 0.8.6h are still vulnerable. Ian ---- x86 should be fine, but it looks like alpha and sparc have yet to mark a 0.8.6h version as stable. Its your call on what we should do.
At least adodb-pager.inc.php is still included in a version from adodb-4.71 or lower which is not fixed for CVE-2006-0806. So unless this is not exploitable in the cacti context at least the XSS vulnerability remains. Maybe I missed something, Lance could you take a second look?
I just got a reply from Ian Berry and it seems he may have missed that one. I've sent him the full text from the first comment in this bug in case he missed seeing that. The initial reaction was for us to create a revision that removed that file. I'm waiting to hear back from him to find out if that will definately work or not.
I have removed the adodb-pager.inc.php file and confirmed that it does not affect Cacti's operation. This will be included in the next release, 0.8.6i. For now, I recommend that you push a new revision of the 0.8.6h ebuild that takes care of deleting this file.
Thanks for commenting on the bug Ian. I've committed cacti-0.8.6h_p20060108-r2 into portage which will remove that file. I haven't marked it stable yet. Let me know when you want me to do that.
Please test and mark stable.
I've done x86 since I use this daily on several boxes. The changes seem fine and hasn't adversely affected my install.
Seems to work fine on alpha.
SPARC'd
Thx, this one is ready for GLSA.
GLSA 200604-07