From ${URL} : A posting to bugtraq from Deutsche Telekom [1] noted multiple flaws in Cacti 0.8.7g: CVE-2014-2326: stored XSS "The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding." CVE-2014-2327: missing CSRF token "The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system. Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application." CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution "Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin." @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability http://svn.cacti.net/viewvc?view=rev&revision=7443 bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability http://svn.cacti.net/viewvc?view=rev&revision=7442
CVE-2014-2326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2326): Cross-site scripting (XSS) vulnerability in Cacti 0.8.7g allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
One more (no CVE yet): http://www.openwall.com/lists/oss-security/2014/04/01/3 http://svn.cacti.net/viewvc?view=rev&revision=7393 http://bugs.cacti.net/view.php?id=2405 (undisclosed)
CVE-2014-2328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2328): lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. CVE-2014-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2327): Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.
CVE-2014-2709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2709): lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. CVE-2014-2708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2708): SQL injection vulnerability in graph_xport.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
This is fixed in 0.8.8c, we have 0.8.8d in tree. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201509-03 at https://security.gentoo.org/glsa/201509-03 by GLSA coordinator Kristian Fiskerstrand (K_F).