Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to conduct HTTP response splitting, cross-site scripting, and SQL injection attacks. 1) Input passed to unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 0.8.7a. Prior versions may also be affected. Solution: Update to version 0.8.7b.
netmon, please bump as necessary.
Thank you, Pierre-Yves, for report 0.8.6j-r8, 0.8.7a-r2, 0.8.7b are fixed versions in the tree. Stabilization is required only for 0.8.6j-r8. 0.8.6k was not added as there is no upstream provided upgrade path to 0.8.7 branch. I would like to stabilize only 0.8.6j-r8 and keep 0.8.7* unstable until I'll manage to find answers to problems which appeared in 0.8.7b (not critical but I'd like to fix that or warn users appropriately). Also I'd like to see 0.8.7 branch stable together with cacti-spine. So, do not stabilize 0.8.7. Give me another week :)
Thx Peter. Arches please test and mark stable. Target keywords are: cacti-0.8.6j-r8.ebuild:KEYWORDS="alpha amd64 ~hppa ppc ppc64 sparc x86"
x86 stable
ppc64 stable
alpha/sparc stable
ppc stable
amd64 stable
Steev, while stabilization of cacti-0.8.7b is a generally good thing (appropriate bug is filled), please, stabilize 0.8.6j-r8 too. Thank you.
(In reply to comment #9) > Steev, while stabilization of cacti-0.8.7b is a generally good thing > (appropriate bug is filled), please, stabilize 0.8.6j-r8 too. Thank you. > sorry, fixed
This one is ready for GLSA vote. I vote YES.
Fixed in release snapshot.
YES, filed.
CVE-2008-0783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0783): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via the (1) view_type parameter to graph.php, (2) filter parameter to graph_view.php, and (3) action and login_username parameters to index.php/login. CVE-2008-0784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0784): graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors. CVE-2008-0785 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0785): Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login. CVE-2008-0786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0786): CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
GLSA 200803-18
