[CVE-2007-6035] cacti has a sql injection vulnerability

Bug #164072 reported by Stephan Rügamer
268
Affects Status Importance Assigned to Milestone
cacti (Debian)
Fix Released
Unknown
cacti (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
High
Brian Thomason
Edgy
Fix Released
High
Stephan Rügamer
Feisty
Fix Released
High
Stephan Rügamer
Gutsy
Fix Released
High
Stephan Rügamer
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: cacti

Dear Colleagues,

a sql injection vulnerability was found for cacti < 0.8.7a.

From NVD:

SQL injection vulnerability in Cacti before 0.8.7a allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Regards,

\sh

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Changed in cacti:
assignee: nobody → shermann
status: New → In Progress
Revision history for this message
William Grant (wgrant) wrote :

I believe that CVE-2007-311[23] also affect all releases. It might be good to fix those now too.

Changed in cacti:
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
assignee: shermann → nobody
status: In Progress → Fix Released
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

working on it, please don't push this to -security.

Updated debdiffs are coming.

Changed in cacti:
status: Unknown → Fix Released
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

CVE-2007-311[23] already fixed in our cacti package for gutsy...

\sh

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

no drupal5 in dapper

Changed in cacti:
assignee: shermann → nobody
status: In Progress → Invalid
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the debdiffs! These look good, I've got them building now. They should publish shortly.

Changed in cacti:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Kees Cook (kees)
Changed in cacti:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Christian Weigel (christian-dm00) wrote :

this might be a different issue, but running checks with Nessus reported this problem on one of my machines:

"The version of Cacti does not properly check
whether the 'copy_cacti_user.php' script is being run from a
commandline and fails to sanitize user-supplied input before using it
in database queries. Provided PHP's 'register_argc_argv' parameter is
enabled, which is the default, an attacker can leverage this issue to
launch SQL injection attack against the underlying database and, for
example, add arbitrary administrative users."

I ran the test script at

http://milw0rm.com/exploits/3045

"successfully" with Dapper (Cacti 0.8.6h-ubuntu1)

Revision history for this message
William Grant (wgrant) wrote :

Oh dear, that's correct. Stephan apparently marked this Dapper task Invalid, when he thought it was another bug... Stephan, could you please provide a debdiff for Dapper when you have time?

No releases other than Dapper should remain affected.

Changed in cacti:
status: Invalid → Confirmed
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Fck....

Sure...

Changed in cacti:
assignee: nobody → shermann
Changed in cacti:
assignee: shermann → brian-thomason
Revision history for this message
Brian Thomason (brian-thomason) wrote :

I have attached a debdiff for Dapper based on Stephan's work. I ran the exploit script to verify, and while the exploit does not succeed, the query simply fails that it attempts. If anyone else has cacti setup and would like to test this patch I'd appreciate it.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking as In Progress per SecurityUpdateProcedures

Changed in cacti:
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff Brian! It looks great and I have committed it to our security queue.

Changed in cacti:
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was published a couple days ago. Thanks again for the patch Brian!

Changed in cacti:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.