Bug 1127165

Summary: cacti has remote code execution vulnerability
Product: [Fedora] Fedora Reporter: Mischa Salle <msalle>
Component: cactiAssignee: Gwyn Ciesla <gwync>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 20CC: carnil, mmcallis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-14 07:42:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mischa Salle 2014-08-06 10:08:41 UTC 
Description of problem:
cacti has a remote code execution and potentially SQL injection vulnerability since it does not check the input arguments on the graph_settings.php page but saves them into the SQL database.
In particular the font sizes are then taken over into the rrdtool commandline in lib/rrd.php, lines 2032/2035 and further. Since there is no check whether $size is actually a number, only that it starts with a number (via the check <=4), it's possible to insert commands by adding a ';' followed by any command.
Note that other similar injection vulnerabilities in cacti have been fixed recently.

Version-Release number of selected component (if applicable):
all versions of cacti upto and including cacti-0.8.8b-7
As far as I can see, all Fedora and EPEL version are vulnerable.

Additional info:
This has been reported upstream as http://bugs.cacti.net/view.php?id=2455
This issue has been found by Mischa Salle and Wilco Baan Hofman of Nikhef.
Comment 1 Murray McAllister 2014-08-07 02:47:27 UTC 
Good morning,

Thank you very much for the report!

We can assign a CVE number if needed, and help with any coordination with other vendors and distributions before the issue is public if needed.

Cheers,

--
Murray McAllister / Red Hat Product Security
Comment 2 Mischa Salle 2014-08-07 11:41:38 UTC 
Hi Murray,

yes, that would be a good. I also submitted a bug at Debian via security but have not yet received any feedback, so I doubt they have already requested a CVE. I asked in the upstream cacti bugtracker if they were planning to request a CVE but they did not respond.

Cheers,
Mischa
Comment 3 Murray McAllister 2014-08-14 07:41:23 UTC 
Hi Mischa,

This issue seems public now:

http://svn.cacti.net/viewvc?view=rev&revision=7454

http://www.openwall.com/lists/oss-security/2014/08/12/5

I'll open this bug up and close it as a duplicate of a fedora tracker that was filed.

We will wait until MITRE responds to the oss-security mail with a CVE, to avoid us assigning any duplicates.
Comment 4 Murray McAllister 2014-08-14 07:42:44 UTC 

*** This bug has been marked as a duplicate of bug 1129763 ***