cacti remote injection exploit

This is quite easy to work around. Add the following lines to /etc/cacti/apache.conf:

        <Files cmd.php>
                Deny from All
        </Files>
        <Files poller.php>
                Deny from All
        </Files>

These script shouldn't be reachable through the webserver anyways.

Just saw someone trying this exploit out on a box.. :-( saw the exploit from sans at the end of december, but still no patch to Ubuntu!!

Setting importance to high, due to impact of exploit.

This thread has patches for 0.8.6h and 0.8.6i:

http://forums.cacti.net/post-88714.html

just filed a sync request to get the fixed version from debian into feisty.

Feisty package is built and thus fixed... (in case this bug vanishes completely from the list of -swat, I'll reopen it)

Question: is there a plan to push a fix for this out to Dapper?

Yes the plan is there. However I cannot promise you a date when this will happen, since we are a little bit low on manpower :(.

I have .debdiffs prepared which need some testing.

I am going to attach them. It would be nice if you could try those and report if they work. Please also include your distribution.

I am now going to attach debs fixing the issue for Edgy and Dapper.

It would be nice if you could try those and report if they work. Please also include your distribution.

The cacti Dapper deb does not seem to work, I would suggest not to try it since it seems to break some stuff..

The cacti Edgy deb works fine for me when upgrading from 0.8.6h-3. Could anyone please confirm that so that we can push the updated deb to edgy-security?

The cacti Dapper deb works fine for me now, also.

The problem was that I did not receive any notifications from debconf.

Now, I got one saying that a table already exists. I selected ignore and the update installed successfully:

root@martin-desktop:/tmp# dpkg -i cacti_0.8.6h-1ubuntu3.1_all.deb
(Lese Datenbank ... 13579 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereiten zum Ersetzen von cacti 0.8.6h-1ubuntu3 (durch cacti_0.8.6h-1ubuntu3.1_all.deb) ...
Entpacke Ersatz für cacti ...
Richte cacti ein (0.8.6h-1ubuntu3.1) ...
dbconfig-common: writing config to /etc/dbconfig-common/cacti.conf
Replacing config file /etc/cacti/debian.php with new version
granting access to database cacti for cacti@localhost: already exists.
creating database cacti: already exists.
error encountered populating database:
mysql said: ERROR 1050 (42S01) at line 5: Table 'cdef' already exists
dbconfig-common: cacti configure: ignoring errors from here forwards
dbconfig-common: flushing administrative password

:::::

Here also:
Could anyone please confirm that it works for Dapper so that we can push the updated deb to dapper-security?

New cacti Edgy deb, available at [1], needs further user testing.

[1] http://gamesplace.info/opensource/ubuntu/cacti/cacti_0.8.6h-1ubuntu3.1_all.deb

New cacti Dapper deb should work but has to be fixed so that no dialogue appears.

Hi Martin, what's the status of these debdiffs? It sounds like they need to be modified in some way to deal with debconf changes, is that correct?

Hi Kees, the Edgy debdiff works fine, the Dapper debdiff has to be modified (I didn't yet find out how)

Hi,

I got "hacked" because of this bug (running edgy), Is their an ETA available for the fix? Willing to test it :)

Publishing edgy update now. Dapper still needs someone to fix the database errors.

Kees, thanks..

Sadly, nobody else of the initial reporters wanted to test the Edgy fix :( Very motivating ;)

Thanks for the fix. Warned some friends as well so they can start the update as well.

Breezy support is over.. Today it's Breezy End Of Life!

Trent Lloyd tested similar fixes, and they seem to work, so I've published that version. It should be on the archives shortly.