Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159278 - net-analyzer/cacti Cacti "cmd.php" Command Execution and SQL Injection (CVE-2006-6799)
Summary: net-analyzer/cacti Cacti "cmd.php" Command Execution and SQL Injection (CVE-2...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa] jaervosz
: 159279 (view as bug list)
Depends on:
Reported: 2006-12-28 06:34 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-01-26 16:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

lib/ping.php patch for php4 (ping.php.diff,1.59 KB, patch)
2007-01-22 19:47 UTC, Hans Rakers
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-28 06:34:13 UTC
rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.
 1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.
 Successful exploitation requires that "register_argc_argv" is enabled.
 2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
 Successful exploitation requires that "register_argc_argv" is enabled.
 3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.
 The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.

Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.
 Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-12-28 06:43:38 UTC
*** Bug 159279 has been marked as a duplicate of this bug. ***
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-30 13:55:45 UTC
CC'ing herd and maintainer as this is really not a nice one
Is there a patch coming soon? Otherwise we might want to consider moving cmd.php for now or something...
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-04 11:59:32 UTC
netmon please advise.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2007-01-07 13:44:16 UTC
The patch that fixes vulnerabilities was released today by upstream
I'm going to apply it/them today.
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2007-01-07 15:40:22 UTC
UPSTREAM_PATCHES="poller_output_remainder dec06-vulnerability-poller-0.8.6i
dec06-vulnerability-scripts-0.8.6i import_template_argument_space_removal" are applied in cacti-0.8.6i-r1. This should close all known ATM vulnerabilities.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:58:03 UTC
Thanks Volkov, and sorry for the delay.

Hello arch teams, please test and mark stable cacti-0.8.6i-r1 if appropriate, thanks.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-01-13 09:56:43 UTC
ppc64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-13 10:10:25 UTC
no version marked as stable for ppc.
Comment 9 Markus Meier gentoo-dev 2007-01-13 19:09:43 UTC
net-analyzer/cacti-0.8.6i-r1  USE="apache2 -apache -snmp -vhosts"
1. emerges on x86
2. passes collision test
3. works

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Last Sync: Sat, 13 Jan 2007 16:30:04 +0000
ccache version 2.4 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/pack
USE="x86 X a52 aac acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa
_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via8
2xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop
 alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugin
s_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugin
s_shm alsa_pcm_plugins_softvol apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fort
ran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_G
B mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl
svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xpri
nt xv xvid zlib"
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-13 21:12:25 UTC
(In reply to comment #8)
> no version marked as stable for ppc.

right, sorry for the spam
Comment 11 Andrej Kacian (RETIRED) gentoo-dev 2007-01-14 00:28:37 UTC
x86 done
Comment 12 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-01-14 14:04:14 UTC
alpha done.
Comment 13 Jason Wever (RETIRED) gentoo-dev 2007-01-16 00:36:27 UTC
SPARC stable
Comment 14 Hans Rakers 2007-01-19 09:41:34 UTC
There's a new vulnerability in 0.8.6i affecting the PHP-based poller. 0.8.6j has been released to address the issue.

See CVE-2006-6799 @

0.8.6j release notes @

Comment 15 Peter Volkov (RETIRED) gentoo-dev 2007-01-21 18:17:06 UTC
Although I'm not a security expert it seems to me that CVE-2006-6799 is speaking about the same security vulnerabilities that are already fixed in cacti-0.8.6i-r1.ebuild. At least I have not found anything new in patch area on, and no new information in CVE-2006-6799. Seems that CVE lists *Common* Vulnerabilities and Exposures which are

"A list of standardized names for vulnerabilities and other information security exposures — CVE aims to standardize the names for all publicly known vulnerabilities and security exposures."

Thus that new CVE page just echo's draft which was started by MITRE corporation.

There exist a new SA23665. But it also does not list new vulnerabilities.

In any way cacti-0.8.6j is in portage. :-)
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-22 11:41:03 UTC
(In reply to comment #15)
> Although I'm not a security expert it seems to me that CVE-2006-6799 is
> speaking about the same security vulnerabilities that are already fixed in
> cacti-0.8.6i-r1.ebuild. 

i can confirm.

> There exist a new SA23665.

it's just the Suse update. When Gentoo will issue its GLSA, there will be another new Secunia Advisory for the Gentoo update. You can find the links between Secunia Advisories with the "For more information" section in
Comment 17 Hans Rakers 2007-01-22 19:47:35 UTC
Created attachment 107828 [details, diff]
lib/ping.php patch for php4

This patch is for people using Cacti 0.8.6j on servers running php4. 

After updating cacti to 0.8.6j my poller script stopped working (timed out according to the logs). After pulling my hairs out for about an hour, and hating the guts of developers that suppress php error messages by adding @'s to function names, i discovered a change from snmpget to snmpgetnext in ping.php. The snmpgetnext function is only available in php5. This caused the ping_snmp function to bomb out without warning, and the poller to wait indefinitely.

This patch adds a check for php4, and falls back to the old way of doing things if it is detected.

Original patch from
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2007-01-22 21:45:35 UTC
Thank you Hans for report, but next time, please, open another bug. I'll add the patch upstream will release very soon.

Security team: what is the next step? Voting for GLSA?
Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-26 14:46:52 UTC
GLSA 200701-23

missing moderation mail for -announce, closing when it hit the list