cacti all versions <=0.8.7 seems to be vulnerable to Command Execution and SQL Injection. Initially reported here: http://forums.cacti.net/viewtopic.php?t=18846 upstream bug report here: http://bugs.cacti.net/view.php?id=883 This is Highly critical issue (Secunia rated), I'm going to bump fixed ebuild in a moment. Stay tuned...
Workaround seems to exist (not tested by me, but seems correct): https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/78453 ================================================= This is quite easy to work around. Add the following lines to /etc/cacti/apache.conf: <Files cmd.php> Deny from All </Files> <Files poller.php> Deny from All </Files> =================================================
Err. That links are completely wrong and security implication is small. It's only know that some security patches an fixed version were issued: http://forums.cacti.net/viewtopic.php?t=24367 In attempts to gather information I mixed version numbers. Sorry for that. In any case ebuild for this unknow issue will be available very soon.
We (you :-) handled the issue from the links above at bug 159278. Can you point me to the patch or commit that fixed this sql injection?
Robert, that was my fault. I'm sorry for bug spam and disinformation. See my comment #2. The story is that today I've received announcement about new cacti release - security release. I tried to find out what was fixed there and how it could be exploited. During search I've missed date and mixed that old issue handled in bug 159278 and the new one. I've failed failed to find any relevant information about this new "possible SQL injection" issue and upstream bug report mentioned in commit message http://svn.cacti.net/cgi-bin/viewvc.cgi?view=rev&revision=4289 seems to be closed for reading. So sorry I do not have more details then it is in announcement message (see URI). In any case, I think it's worth to fix this possible injection. The latest release and fix for branch 0.8.6j are in portage. I do not want to stabilize 0.8.7 branch now as I want to do that together with cactid which currently have known issues (BTW, new cactid called spine has same issues too). So I'd asked arch teams to stabilize 0.8.6j-r7. If security team agrees with me, please, add arch teams to this bug: alpha@gentoo.org,amd64@gentoo.org,ppc@gentoo.org,ppc64@gentoo.org,sparc@gentoo.org,x86@gentoo.org
Thanks. I guess we'll hear more about this soon.
This security issue is present in Cacti 0.8.7 and 0.8.6j. Patches are available for both version. Cacti 0.8.7a does not have this issue. Patches: http://www.cacti.net/download_patches.php The following is an explanation of the security issue: ----------------------------------------------------------- /cacti/graph.php?local_graph_id=-1+union+select+1,2,3,password+from+user_auth+where+id=1/* When ran a Validation Error is produced but it also prints the crypted admin password: Graphs -> Preview Mode -> fcd382fMYCRYPTEDPASSWORS322fj ----------------------------------------------------------- All comments about cmd.php and poller.php are old issues that have been resolved.
Thanks for the explanation, Tony. Did you or the person who discovered this already request a CVE name for it?
(In reply to comment #7) > Thanks for the explanation, Tony. Did you or the person who discovered this > already request a CVE name for it? CVE-2007-6035 was assigned to this.
Thanks for requesting, Tomas.
amd64 done...
Since questions arose, please stabilize 0.8.6j-r7.
x86 stable
alpha/sparc stable
ppc64 stable
ppc stable
Vote is open, I vote YES.
I vote yes too.
request filed.
GLSA 200712-02
