Description of problem: cacti has a remote code execution and potentially SQL injection vulnerability since it does not check the input arguments on the graph_settings.php page but saves them into the SQL database. In particular the font sizes are then taken over into the rrdtool commandline in lib/rrd.php, lines 2032/2035 and further. Since there is no check whether $size is actually a number, only that it starts with a number (via the check <=4), it's possible to insert commands by adding a ';' followed by any command. Note that other similar injection vulnerabilities in cacti have been fixed recently. Version-Release number of selected component (if applicable): all versions of cacti upto and including cacti-0.8.8b-7 As far as I can see, all Fedora and EPEL version are vulnerable. Additional info: This has been reported upstream as http://bugs.cacti.net/view.php?id=2455 This issue has been found by Mischa Salle and Wilco Baan Hofman of Nikhef.
Good morning, Thank you very much for the report! We can assign a CVE number if needed, and help with any coordination with other vendors and distributions before the issue is public if needed. Cheers, -- Murray McAllister / Red Hat Product Security
Hi Murray, yes, that would be a good. I also submitted a bug at Debian via security but have not yet received any feedback, so I doubt they have already requested a CVE. I asked in the upstream cacti bugtracker if they were planning to request a CVE but they did not respond. Cheers, Mischa
Hi Mischa, This issue seems public now: http://svn.cacti.net/viewvc?view=rev&revision=7454 http://www.openwall.com/lists/oss-security/2014/08/12/5 I'll open this bug up and close it as a duplicate of a fedora tracker that was filed. We will wait until MITRE responds to the oss-security mail with a CVE, to avoid us assigning any duplicates.
*** This bug has been marked as a duplicate of bug 1129763 ***