Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199509 - net-analyzer/cacti < 0.8.6j-r7 Possible SQL injection issue (CVE-2007-6035)
Summary: net-analyzer/cacti < 0.8.6j-r7 Possible SQL injection issue (CVE-2007-6035)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3? [glsa]
Depends on:
Reported: 2007-11-18 10:53 UTC by Peter Volkov (RETIRED)
Modified: 2007-12-05 23:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Peter Volkov (RETIRED) gentoo-dev 2007-11-18 10:53:44 UTC
cacti all versions <=0.8.7 seems to be vulnerable to Command Execution and SQL Injection.

Initially reported here:
upstream bug report here:

This is  Highly critical issue (Secunia rated), I'm going to bump fixed ebuild in a moment. Stay tuned...
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2007-11-18 10:56:57 UTC
Workaround seems to exist (not tested by me, but seems correct):
This is quite easy to work around. Add the following lines to /etc/cacti/apache.conf:

        <Files cmd.php>
                Deny from All
        <Files poller.php>
                Deny from All
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2007-11-18 12:17:25 UTC
Err. That links are completely wrong and security implication is small. It's only know that some security patches an fixed version were issued: In attempts to gather information I mixed version numbers. Sorry for that. In any case ebuild for this unknow issue will be available very soon.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 12:21:46 UTC
We (you :-) handled the issue from the links above at bug 159278.

Can you point me to the patch or commit that fixed this sql injection?
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2007-11-18 13:41:59 UTC
Robert, that was my fault. I'm sorry for bug spam and disinformation. See my comment #2. The story is that today I've received announcement about new cacti release - security release. I tried to find out what was fixed there and how it could be exploited. During search I've missed date and mixed that old issue handled in bug 159278 and the new one. 

I've failed failed to find any relevant information about this new "possible SQL injection" issue and upstream bug report mentioned in commit message seems to be closed for reading. So sorry I do not have more details then it is in announcement message (see URI).

In any case, I think it's worth to fix this possible injection. The latest release and fix for branch 0.8.6j are in portage. I do not want to stabilize 0.8.7 branch now as I want to do that together with cactid which currently have known issues (BTW, new cactid called spine has same issues too).

So I'd asked arch teams to stabilize 0.8.6j-r7. If security team agrees with me, please, add arch teams to this bug:,,,,,
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 14:51:10 UTC
Thanks. I guess we'll hear more about this soon.
Comment 6 Tony Roman 2007-11-18 17:44:26 UTC
This security issue is present in Cacti 0.8.7 and 0.8.6j.  Patches are available for both version.  Cacti 0.8.7a does not have this issue.


The following is an explanation of the security issue:

When ran a Validation Error is produced but it also prints the crypted admin password:

Graphs -> Preview Mode -> fcd382fMYCRYPTEDPASSWORS322fj

All comments about cmd.php and poller.php are old issues that have been resolved.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 18:27:35 UTC
Thanks for the explanation, Tony. Did you or the person who discovered this already request a CVE name for it?
Comment 8 Tomas Hoger 2007-11-20 12:06:41 UTC
(In reply to comment #7)
> Thanks for the explanation, Tony. Did you or the person who discovered this
> already request a CVE name for it?

CVE-2007-6035 was assigned to this.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 15:15:46 UTC
Thanks for requesting, Tomas.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-21 19:42:36 UTC
amd64 done...
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-11-21 20:13:43 UTC
Since questions arose, please stabilize 0.8.6j-r7.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-22 08:03:49 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-11-22 17:03:55 UTC
alpha/sparc stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-11-23 20:55:46 UTC
ppc64 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2007-11-24 04:39:08 UTC
ppc stable
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 02:01:00 UTC
Vote is open, I vote YES.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2007-11-26 07:48:35 UTC
I vote yes too.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-02 22:34:35 UTC
request filed.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-05 23:00:49 UTC
GLSA 200712-02