Bugzilla – Bug 91166
VUL-0: CVE-2005-1526: cacti SQL injection
Last modified: 2021-12-01 17:24:13 UTC
Hello Wolfgang, we received this private note: Date: Wed, 15 Jun 2005 20:54:16 -0500 From: Tony Roman <roman@disorder.com> User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) To: marc@suse.de, thomas@suse.de, draht@suse.de, krahmer@suse.de, meissner@suse.de, lnussel@suse.de Cc: Larry Adams <larryjadams@comcast.net>, "J.P. Pasnak" <pasnak@warpedsystems.sk.ca>, Ian Berry <iberry@raxnet.net>, vendor-disclosure@idefense.com Subject: Cacti Release Announcement - Security UPDATE - 6-15-2005 To whom is may concern, please forward the following to the appropriate person or persons at Suse, or let us know who the appropriate person would be. Recently the Cacti group had been informed of some serious security issues that would allow for SQL injection and global php variable overwriting. To resolve these issues, we have new release of Cacti 0.8.6e, which includes the security fixes and some minor bug fixes. We will be announcing the new release of Cacti 0.8.6e on Monday June 20th. You can find Cacti 0.8.6e at http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz, which is the standard download location. We hope this will at least be enough time to get the ball rolling for updating related packages in distributions. If you have any questions, please let us know. Thanks, The Cacti Group Tony Roman Cacti Developer
SM-Tracker-1580
please tell me if a version update is allowed for SL 9.1 - 9.3. AJ is on vacation.
Anja and Harald are his proxy.
Version Update approved by kukuk as long as there no changes as long as the packager checks the functionality at least for 9.3
question is if the fixing patch is small or not?
I'll make a diff between the two versions.
The diff is 220k. I've contacted the authors if they can provide more information what we need to fix.
shipped versions: 9.1: 0.8.5 9.2: 0.8.5a 9.3: 0.8.6c (security release: 0.8.6e) We have a security-only patch for 0.8.6c. It's not easy to port this to former versions reliably. Please give me a hint, what to do. (I've tested the new version on 9.1 and it works, although the database structure has to be updated (this happens automatically if new cacti is accessed after update)).
andreas, we would need your approval for a version zupgrade here.
PING AJ
Versionupdate approved - but please test the version!
Multiple Vendor Cacti Multiple SQL Injection Vulnerabilities iDEFENSE Security Advisory 06.22.05 www.idefense.com/application/poi/display?id=267&type=vulnerabilities ---------------------- Multiple Vendor Cacti config_settings.php Remote Code Execution Vulnerability iDEFENSE Security Advisory 06.22.05 www.idefense.com/application/poi/display?id=266&type=vulnerabilities ---------------------- Multiple Vendor Cacti Remote File Inclusion Vulnerability iDEFENSE Security Advisory 06.22.05 www.idefense.com/application/poi/display?id=265&type=vulnerabilities
We should release updates very soon b/c a exploit is available.
Created attachment 39805 [details] cacti.pl # Remote Command Execution Exploit for Cacti <= 0.8.6d # # This exploit open a remote shell on the targets that uses Cacti # TARGET HOST MUST BE A GNU/LINUX SERVER, if not: # manual exploiting --> http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&gr aph_start=%0a[command]%0a # Patch: download the last version http://www.cacti.net/download_cacti.php # Discovered and Coded by Alberto Trivero Use this as TEST-CASE.
packages have been copied for 9.1, 9.2 and 9.3. Those are version upgrades because backporting to 9.1 and 9.2 was not safe. @security-team: If you write the patchinfos, please give a hint to the upgrade notes (release notes) at http://www.cacti.net/release_notes_0_8_6e.php
Will do, thanks!
/work/src/done/PATCHINFO/cacti.patch.box
done
*** Bug 95513 has been marked as a duplicate of this bug. ***
CAN-2005-1524 CAN-2005-1525 CAN-2005-1526
CVE-2005-1526: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)