Bug 91166 (CVE-2005-1526)

Summary: VUL-0: CVE-2005-1526: cacti SQL injection
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: aj, ast, hmuelle, meissner, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1526: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: cacti.pl

Description Thomas Biege 2005-06-16 06:26:20 UTC 
Hello Wolfgang,
we received this private note:

Date: Wed, 15 Jun 2005 20:54:16 -0500
From: Tony Roman <roman@disorder.com>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
To: marc@suse.de, thomas@suse.de, draht@suse.de, krahmer@suse.de,
        meissner@suse.de, lnussel@suse.de
Cc: Larry Adams <larryjadams@comcast.net>,
        "J.P. Pasnak" <pasnak@warpedsystems.sk.ca>,
        Ian Berry <iberry@raxnet.net>, vendor-disclosure@idefense.com
Subject: Cacti Release Announcement - Security UPDATE - 6-15-2005

To whom is may concern, please forward the following to the appropriate
person or persons at Suse, or let us know who the appropriate person
would be.

Recently the Cacti group had been informed of some serious security
issues that would allow for SQL injection and global php variable
overwriting.  To resolve these issues, we have new release of Cacti
0.8.6e, which includes the security fixes and some minor bug fixes.

We will be announcing the new release of Cacti 0.8.6e on Monday June 20th.

You can find Cacti 0.8.6e at
http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz, which is the
standard download location.

We hope this will at least be enough time to get the ball rolling for
updating related packages in distributions.

If you have any questions, please let us know.

Thanks,

The Cacti Group

Tony Roman
Cacti Developer
Comment 1 Thomas Biege 2005-06-16 06:32:23 UTC 
SM-Tracker-1580
Comment 2 Wolfgang Rosenauer 2005-06-16 06:45:54 UTC 
please tell me if a version update is allowed for SL 9.1 - 9.3.
AJ is on vacation.
Comment 3 Thomas Biege 2005-06-16 07:38:19 UTC 
Anja and Harald are his proxy.
Comment 4 Harald Mueller-Ney 2005-06-16 09:31:58 UTC 
Version Update approved by kukuk as long as there no changes as long as the
packager checks the functionality at least for 9.3
Comment 5 Marcus Meissner 2005-06-16 10:08:25 UTC 
question is if the fixing patch is small or not?
Comment 6 Wolfgang Rosenauer 2005-06-16 10:23:27 UTC 
I'll make a diff between the two versions.
Comment 7 Wolfgang Rosenauer 2005-06-16 11:02:59 UTC 
The diff is 220k. I've contacted the authors if they can provide more
information what we need to fix.
Comment 8 Wolfgang Rosenauer 2005-06-20 04:45:28 UTC 
shipped versions:
9.1: 0.8.5
9.2: 0.8.5a
9.3: 0.8.6c
(security release: 0.8.6e)

We have a security-only patch for 0.8.6c. It's not easy to port this to former
versions reliably.
Please give me a hint, what to do.
(I've tested the new version on 9.1 and it works, although the database
structure has to be updated (this happens automatically if new cacti is accessed
after update)).
Comment 9 Marcus Meissner 2005-06-20 13:31:25 UTC 
andreas, we would need your approval for a version zupgrade here.
Comment 10 Marcus Meissner 2005-06-22 15:44:59 UTC 
PING AJ
Comment 11 Andreas Jaeger 2005-06-23 07:21:29 UTC 
Versionupdate approved - but please test the version!
Comment 12 Thomas Biege 2005-06-23 07:23:13 UTC 
Multiple Vendor Cacti Multiple SQL Injection Vulnerabilities 

iDEFENSE Security Advisory 06.22.05
www.idefense.com/application/poi/display?id=267&type=vulnerabilities

----------------------

Multiple Vendor Cacti config_settings.php Remote Code Execution
Vulnerability

iDEFENSE Security Advisory 06.22.05
www.idefense.com/application/poi/display?id=266&type=vulnerabilities

----------------------

Multiple Vendor Cacti Remote File Inclusion Vulnerability

iDEFENSE Security Advisory 06.22.05
www.idefense.com/application/poi/display?id=265&type=vulnerabilities
Comment 13 Thomas Biege 2005-06-24 06:56:51 UTC 
We should release updates very soon b/c a exploit is available.
Comment 14 Thomas Biege 2005-06-24 06:58:08 UTC 
Created attachment 39805 [details]
cacti.pl

# Remote Command Execution Exploit for Cacti <= 0.8.6d
#
# This exploit open a remote shell on the targets that uses Cacti
# TARGET HOST MUST BE A GNU/LINUX SERVER, if not:
# manual exploiting -->
http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&gr
aph_start=%0a[command]%0a
# Patch: download the last version http://www.cacti.net/download_cacti.php
# Discovered and Coded by Alberto Trivero

Use this as TEST-CASE.
Comment 15 Wolfgang Rosenauer 2005-06-24 07:17:39 UTC 
packages have been copied for 9.1, 9.2 and 9.3.
Those are version upgrades because backporting to 9.1 and 9.2 was not safe.
@security-team: If you write the patchinfos, please give a hint to the upgrade
notes (release notes) at http://www.cacti.net/release_notes_0_8_6e.php
Comment 16 Thomas Biege 2005-06-24 08:02:03 UTC 
Will do, thanks!
Comment 17 Thomas Biege 2005-06-24 08:35:11 UTC 
/work/src/done/PATCHINFO/cacti.patch.box
Comment 18 Thomas Biege 2005-06-24 15:37:56 UTC 
done
Comment 19 Marcus Meissner 2005-07-07 11:43:00 UTC 
*** Bug 95513 has been marked as a duplicate of this bug. ***
Comment 20 Ludwig Nussel 2005-07-11 07:31:17 UTC 
CAN-2005-1524 
CAN-2005-1525 
CAN-2005-1526
Comment 21 Thomas Biege 2009-10-13 21:28:29 UTC 
CVE-2005-1526: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)