Bug 1127165 - cacti has remote code execution vulnerability
Summary: cacti has remote code execution vulnerability
Status: CLOSED DUPLICATE of bug 1129763
Alias: None
Product: Fedora
Classification: Fedora
Component: cacti
Version: 20
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-06 10:08 UTC by Mischa Salle
Modified: 2014-08-14 08:02 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-08-14 07:42:44 UTC


Attachments (Terms of Use)

Description Mischa Salle 2014-08-06 10:08:41 UTC
Description of problem:
cacti has a remote code execution and potentially SQL injection vulnerability since it does not check the input arguments on the graph_settings.php page but saves them into the SQL database.
In particular the font sizes are then taken over into the rrdtool commandline in lib/rrd.php, lines 2032/2035 and further. Since there is no check whether $size is actually a number, only that it starts with a number (via the check <=4), it's possible to insert commands by adding a ';' followed by any command.
Note that other similar injection vulnerabilities in cacti have been fixed recently.

Version-Release number of selected component (if applicable):
all versions of cacti upto and including cacti-0.8.8b-7
As far as I can see, all Fedora and EPEL version are vulnerable.

Additional info:
This has been reported upstream as http://bugs.cacti.net/view.php?id=2455
This issue has been found by Mischa Salle and Wilco Baan Hofman of Nikhef.

Comment 1 Murray McAllister 2014-08-07 02:47:27 UTC
Good morning,

Thank you very much for the report!

We can assign a CVE number if needed, and help with any coordination with other vendors and distributions before the issue is public if needed.

Cheers,

--
Murray McAllister / Red Hat Product Security

Comment 2 Mischa Salle 2014-08-07 11:41:38 UTC
Hi Murray,

yes, that would be a good. I also submitted a bug at Debian via security@debian.org but have not yet received any feedback, so I doubt they have already requested a CVE. I asked in the upstream cacti bugtracker if they were planning to request a CVE but they did not respond.

Cheers,
Mischa

Comment 3 Murray McAllister 2014-08-14 07:41:23 UTC
Hi Mischa,

This issue seems public now:

http://svn.cacti.net/viewvc?view=rev&revision=7454

http://www.openwall.com/lists/oss-security/2014/08/12/5

I'll open this bug up and close it as a duplicate of a fedora tracker that was filed.

We will wait until MITRE responds to the oss-security mail with a CVE, to avoid us assigning any duplicates.

Comment 4 Murray McAllister 2014-08-14 07:42:44 UTC

*** This bug has been marked as a duplicate of bug 1129763 ***


Note You need to log in before you can comment on or make changes to this bug.