SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cacti Vendors:   RaXnet
(Conectiva Issues Fix) Cacti Input Validation Holes Let Remote Users Inject SQL Commands and Execute Arbitrary Commands
SecurityTracker Alert ID:  1014435
SecurityTracker URL:  http://securitytracker.com/id/1014435
CVE Reference:   CVE-2005-1524, CVE-2005-1525, CVE-2005-1526   (Links to External Site)
Date:  Jul 9 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.8.6e
Description:   Some input validation vulnerabilities were reported in Cacti. A remote user can inject SQL commands. A remote user can execute arbitrary commands on the target system.

The software does not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

If the 'register_globals' configuration is set to 'on' in the target user's 'php.ini' configuration file, then a remote user can supply a specially crafted URL to overwrite certain PHP variables and cause the system to include and execute arbitrary PHP code. The PHP code, including operating system commands, will run with the privileges of the target web service.

The vendor credits iDEFENSE with reporting these vulnerabilities.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can execute SQL commands on the underlying database.

Solution:   Conectiva has released a fix.

ftp://atualizacoes.conectiva.com.br/10/SRPMS/cacti-0.8.6f-56117U10_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cacti-0.8.6f-56117U10_4cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cacti-0.8.6f-22563U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cacti-0.8.6f-22563U90_3cl.noarch.rpm

Vendor URL:  www.raxnet.net/products/cacti/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  9, 10

Message History:   This archive entry is a follow-up to the message listed below.
Jun 21 2005 Cacti Input Validation Holes Let Remote Users Inject SQL Commands and Execute Arbitrary Commands



 Source Message Contents

Subject:  [Conectiva-updates] [CLA-2005:978] Conectiva Security Announcement


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cacti
SUMMARY   : Security fixes for Cacti
DATE      : 2005-07-07 10:20:00
ID        : CLA-2005:978
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------

DESCRIPTION
 Cacti[1] is a is a complete data graphing solution that provides a
 fast poller, advanced graph templating, multiple data acquisition
 methods and user management features out of the box.
 
 This announcement fixes the following security issues with Cacti:
 
 1.CAN-2005-1524[2,3]
   Cacti contains an input validation error in the
 top_graph_header.php script that allows an attacker to include
 arbitrary PHP code from remote sites. This in effect allows arbitrary
 code execution with the privileges of the web server.
 
 2.CAN-2005-1525[4,5]
   Cacti contains an input validation error in the config_settings.php
 script which allows an attacker to execute arbitrary SQL queries.
 This in effect allows an attacker to recover the administrative
 password for the Cacti installation. Various scripts are vulnerable
 to SQL injection using the 'id' variable.
 
 3.CAN-2005-1526[6,7]
   Cacti contains an input validation error in the config_settings.php
 script which allows an attacker to include arbitrary PHP code from
 remote sites. This in effect allows arbitrary code execution with the
 privileges of the web server.
 
 
 IMPORTANT
 For Conectiva Linux 10:
 The cacti cron command must be changed from
 '/srv/www/default/html/cacti/cmd.php' to
 '/srv/www/default/html/cacti/poller.php' in order to get the new
 cacti properly working.
 
 For Conectiva Linux 9:
 The database must be converted in order to make cacti work again and
 also apply the above cron change.
 
 For aditional information on upgrading cacti please, refer to the
 file /srv/www/default/html/cacti/docs/INSTALL included in the
 package.


SOLUTION
 It is recommended that all Cacti users upgrade their packages.
 
 
 REFERENCES
 1.http://www.cacti.net
 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1524
 3.http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities&flashstatus=true
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1525
 5.http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities&flashstatus=true
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1526
 7.http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities&flashstatus=true


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/cacti-0.8.6f-56117U10_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cacti-0.8.6f-56117U10_4cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cacti-0.8.6f-22563U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cacti-0.8.6f-22563U90_3cl.noarch.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzSwT42jd0JmAcZARAhx+AKCXmONDcA8mgsMnlHFUwse+D2bXFACgwhzJ
BYGJDQhaXGNPpp6Xv7+0ndU=
=Ht75
-----END PGP SIGNATURE-----

______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC