Bug 586064

Summary: cacti: arbitrary command injection vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mmcgrath, ocs2, plautrba
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-29 13:36:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-04-26 18:17:58 UTC 
It was reported [1] that Cacti is vulnerable to arbitrary command injection due to not properly sanitizing user-supplied input.  Specifically, the reported vulnerabilities are:

1) Edit or Create a Device with FQDN \u2018NotARealIPAddress;CMD;\u2019 (without
single quotes) and Save it. Edit the Device again and reload any data
query already created. CMD will be executed with Web Server rights.

2) Edit or Create a Graph Template and use as Vertical Label
'BonsaiSecLabel";CMD; "' (without single quotes) and Save it. Go to
Graph Management section and Select it. CMD will be executed with Web
Server rights. Note that other properties of a Graph Template might
also be affected.

The report indidcates this affects all current releases of Cacti (up to and including .8.7e), however there is no upstream fix for this available yet, nor are there further details available.

[1] http://seclists.org/fulldisclosure/2010/Apr/271
Comment 1 Vincent Danen 2010-04-27 04:16:55 UTC 
I can't reproduce this, tried with 0.8.7e-3.fc12.  I've tried variations of the original, but can't seem to get this to actually do anything useful.

/var/log/cacti/cacti.log is full of entries like this (from trying to reproduce):

04/26/2010 05:17:11 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for 172.12.12.12;touch /tmp/test
04/26/2010 05:18:35 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for notarealipaddress;touch /tmp/test
04/26/2010 05:25:55 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca;touch /tmp/test
04/26/2010 05:50:06 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca";touch /tmp/test; "

There have been fixes in the past for Cacti to fix this type of vulnerability, so I wonder whether or not this report is genuinely against the new version or perhaps against the older vulnerable versions.  Is anyone else able to reproduce this?

However, this looks like the same kind of issue as CVE-2009-4112 (bug #542985), which indicates:

"Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8."

We had classified that CVE as impact=low; do we want to call this impact=important considering this is a similar type of issue?
Comment 2 Tomas Hoger 2010-06-29 13:36:28 UTC 

*** This bug has been marked as a duplicate of bug 609115 ***