Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506356 (CVE-2014-2326) - net-analyzer/cacti : multiple flaws (CVE-2014-{2326,2327,2328,2708,2709})
Summary: net-analyzer/cacti : multiple flaws (CVE-2014-{2326,2327,2328,2708,2709})
Status: RESOLVED FIXED
Alias: CVE-2014-2326
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-31 09:51 UTC by Agostino Sarubbo
Modified: 2015-09-24 16:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-31 09:51:12 UTC
From ${URL} :

A posting to bugtraq from Deutsche Telekom [1] noted multiple flaws in Cacti 0.8.7g:

CVE-2014-2326: stored XSS
"The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output 
encoding."

CVE-2014-2327: missing CSRF token
"The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations 
see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on 
the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF 
attack. One very critical attack vector is the modification of several binary files in the Cacti 
configuration, which may then be executed on the server. This results in full compromise of the Cacti host 
by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, 
resulting in full (system level) access of the Cacti system. Further attack scenarios include the 
modification of the Cacti configuration and adding arbitrary (admin) users to the application."

CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution
"Cacti makes use of exec-like method PHP function calls, which execute command shell code without any 
safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of 
the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack 
will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin."



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2014-03-31 13:35:03 UTC
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability 
http://svn.cacti.net/viewvc?view=rev&revision=7443

bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
http://svn.cacti.net/viewvc?view=rev&revision=7442
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-01 12:25:03 UTC
CVE-2014-2326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2326):
  Cross-site scripting (XSS) vulnerability in Cacti 0.8.7g allows remote
  attackers to inject arbitrary web script or HTML via unspecified vectors.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:58:49 UTC
CVE-2014-2328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2328):
  lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote
  authenticated users to execute arbitrary commands via shell metacharacters
  in unspecified vectors.

CVE-2014-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2327):
  Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and
  earlier allows remote attackers to hijack the authentication of users for
  unspecified commands, as demonstrated by requests that (1) modify binary
  files, (2) modify configurations, or (3) add arbitrary users.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:59:29 UTC
CVE-2014-2709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2709):
  lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to
  execute arbitrary commands via shell metacharacters in unspecified
  parameters.

CVE-2014-2708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2708):
  SQL injection vulnerability in graph_xport.php in Cacti 0.8.8b allows remote
  attackers to execute arbitrary SQL commands via unspecified vectors.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-13 14:56:15 UTC
This is fixed in 0.8.8c, we have 0.8.8d in tree. 

New GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 16:51:30 UTC
This issue was resolved and addressed in
 GLSA 201509-03 at https://security.gentoo.org/glsa/201509-03
by GLSA coordinator Kristian Fiskerstrand (K_F).