Description of problem:
cacti has a remote code execution and potentially SQL injection vulnerability since it does not check the input arguments on the graph_settings.php page but saves them into the SQL database.
In particular the font sizes are then taken over into the rrdtool commandline in lib/rrd.php, lines 2032/2035 and further. Since there is no check whether $size is actually a number, only that it starts with a number (via the check <=4), it's possible to insert commands by adding a ';' followed by any command.
Note that other similar injection vulnerabilities in cacti have been fixed recently.
Version-Release number of selected component (if applicable):
all versions of cacti upto and including cacti-0.8.8b-7
As far as I can see, all Fedora and EPEL version are vulnerable.
This has been reported upstream as http://bugs.cacti.net/view.php?id=2455
This issue has been found by Mischa Salle and Wilco Baan Hofman of Nikhef.
Thank you very much for the report!
We can assign a CVE number if needed, and help with any coordination with other vendors and distributions before the issue is public if needed.
Murray McAllister / Red Hat Product Security
yes, that would be a good. I also submitted a bug at Debian via firstname.lastname@example.org but have not yet received any feedback, so I doubt they have already requested a CVE. I asked in the upstream cacti bugtracker if they were planning to request a CVE but they did not respond.
This issue seems public now:
I'll open this bug up and close it as a duplicate of a fedora tracker that was filed.
We will wait until MITRE responds to the oss-security mail with a CVE, to avoid us assigning any duplicates.
*** This bug has been marked as a duplicate of bug 1129763 ***