Bug 585207

Summary: SQL Injection Vulnerability
Product: [Fedora] Fedora EPEL Reporter: Matt Hyclak <hyclak>
Component: cactiAssignee: Mike McGrath <mmcgrath>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: el5CC: mmcgrath, vdanen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cacti-0.8.7e-4.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-18 21:59:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 585401    
Attachments:
Description Flags
Patch to the spec file none

Description Matt Hyclak 2010-04-23 12:42:24 UTC
Created attachment 408594 [details]
Patch to the spec file

Description of problem:

SQL Injection Vulnerability in Cacti <= 0.8.7e 

Version-Release number of selected component (if applicable):

0.8.7e-3

How reproducible:

Always

Steps to Reproduce:
1. See http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php
2.
3.
  
Actual results:

SQL injection

Expected results:

No SQL injection

Additional info:

Patch released - http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch

Comment 1 Fedora Update System 2010-04-23 14:58:57 UTC
cacti-0.8.7e-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12

Comment 2 Fedora Update System 2010-04-23 14:59:02 UTC
cacti-0.8.7e-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13

Comment 3 Fedora Update System 2010-04-23 14:59:10 UTC
cacti-0.8.7e-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11

Comment 4 Fedora Update System 2010-04-23 15:03:55 UTC
cacti-0.8.7e-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4

Comment 5 Fedora Update System 2010-04-25 14:02:00 UTC
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13

Comment 6 Vincent Danen 2010-04-26 19:26:31 UTC
*** Bug 585402 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2010-04-26 23:28:19 UTC
cacti-0.8.7e-4.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4

Comment 8 Fedora Update System 2010-04-27 02:17:50 UTC
cacti-0.8.7e-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11

Comment 9 Fedora Update System 2010-04-27 02:31:05 UTC
cacti-0.8.7e-4.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12

Comment 10 Matt Hyclak 2010-04-29 17:58:48 UTC
This update didn't break anything on our test system. I can't seem to find a way to really test the vulnerability to make sure it's fixed or not.

Thanks,
Matt

Comment 11 Vincent Danen 2010-04-29 19:57:20 UTC
Yeah, I don't have a good testcase here either.  The advisory report to full-disclosure had an example but I can't seem to make it do anything creative.  I think we have to trust that upstream did the right thing here.

Comment 12 Matt Hyclak 2010-05-12 12:36:44 UTC
Is this going to get pushed for EL5? I only see EL4 and FC11-13.

Comment 13 Fedora Update System 2010-05-18 21:59:10 UTC
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Vincent Danen 2010-08-17 20:08:50 UTC
(In reply to comment #12)
> Is this going to get pushed for EL5? I only see EL4 and FC11-13.

This was addressed in https://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el5