Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209918 (CVE-2008-0783) - net-analyzer/cacti < 0.8.7b multiple vulnerabilities (CVE-2008-{0783,0784,0785,0786})
Summary: net-analyzer/cacti < 0.8.7b multiple vulnerabilities (CVE-2008-{0783,0784,078...
Status: RESOLVED FIXED
Alias: CVE-2008-0783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28872/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-12 20:46 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2008-03-10 21:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-12 20:46:19 UTC
Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to conduct HTTP response splitting, cross-site scripting, and SQL injection attacks.

1) Input passed to unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 0.8.7a. Prior versions may also be affected.

Solution:
Update to version 0.8.7b.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-12 20:47:48 UTC
netmon, please bump as necessary.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-02-13 13:10:54 UTC
Thank you, Pierre-Yves, for report

0.8.6j-r8, 0.8.7a-r2, 0.8.7b are fixed versions in the tree. Stabilization is required only for 0.8.6j-r8.

0.8.6k was not added as there is no upstream provided upgrade path to 0.8.7 branch. I would like to stabilize only 0.8.6j-r8 and keep 0.8.7* unstable until I'll manage to find answers to problems which appeared in 0.8.7b (not critical but I'd like to fix that or warn users appropriately). Also I'd like to see 0.8.7 branch stable together with cacti-spine. So, do not stabilize 0.8.7. Give me another week :)
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-13 17:49:30 UTC
Thx Peter.

Arches please test and mark stable. Target keywords are:

cacti-0.8.6j-r8.ebuild:KEYWORDS="alpha amd64 ~hppa ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-14 07:47:03 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2008-02-14 19:20:22 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-02-15 13:55:17 UTC
alpha/sparc stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-19 19:44:59 UTC
ppc stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 15:13:42 UTC
amd64 stable
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 16:33:10 UTC
Steev, while stabilization of cacti-0.8.7b is a generally good thing (appropriate bug is filled), please, stabilize 0.8.6j-r8 too. Thank you.
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 19:24:47 UTC
(In reply to comment #9)
> Steev, while stabilization of cacti-0.8.7b is a generally good thing
> (appropriate bug is filled), please, stabilize 0.8.6j-r8 too. Thank you.
> 

sorry, fixed
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-25 20:12:13 UTC
This one is ready for GLSA vote. I vote YES.
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 20:30:30 UTC
Fixed in release snapshot.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-02-25 22:16:26 UTC
YES, filed.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 22:39:30 UTC
CVE-2008-0783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0783):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before
  0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web
  script or HTML via the (1) view_type parameter to graph.php, (2) filter
  parameter to graph_view.php, and (3) action and login_username parameters to
  index.php/login.

CVE-2008-0784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0784):
  graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote
  attackers to obtain the full path via an invalid local_graph_id parameter and
  other unspecified vectors.

CVE-2008-0785 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0785):
  Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6
  before 0.8.6k allow remote authenticated users to execute arbitrary SQL
  commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and
  id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php,
  and (4) login_username parameter to index.php/login.

CVE-2008-0786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0786):
  CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before
  0.8.6k, when running on older PHP interpreters, allows remote attackers to
  inject arbitrary HTTP headers and conduct HTTP response splitting attacks via
  unspecified vectors.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-10 21:54:00 UTC
GLSA 200803-18