Bug 585207 - SQL Injection Vulnerability
Summary: SQL Injection Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cacti
Version: el5
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Mike McGrath
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 585402 (view as bug list)
Depends On:
Blocks: BONSAI-2010-0104, CVE-2010-1431
TreeView+ depends on / blocked
 
Reported: 2010-04-23 12:42 UTC by Matt Hyclak
Modified: 2010-08-17 20:08 UTC (History)
2 users (show)

Fixed In Version: cacti-0.8.7e-4.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-18 21:59:14 UTC
Type: ---


Attachments (Terms of Use)
Patch to the spec file (1013 bytes, application/octet-stream)
2010-04-23 12:42 UTC, Matt Hyclak
no flags Details

Description Matt Hyclak 2010-04-23 12:42:24 UTC
Created attachment 408594 [details]
Patch to the spec file

Description of problem:

SQL Injection Vulnerability in Cacti <= 0.8.7e 

Version-Release number of selected component (if applicable):

0.8.7e-3

How reproducible:

Always

Steps to Reproduce:
1. See http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php
2.
3.
  
Actual results:

SQL injection

Expected results:

No SQL injection

Additional info:

Patch released - http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch

Comment 1 Fedora Update System 2010-04-23 14:58:57 UTC
cacti-0.8.7e-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12

Comment 2 Fedora Update System 2010-04-23 14:59:02 UTC
cacti-0.8.7e-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13

Comment 3 Fedora Update System 2010-04-23 14:59:10 UTC
cacti-0.8.7e-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11

Comment 4 Fedora Update System 2010-04-23 15:03:55 UTC
cacti-0.8.7e-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4

Comment 5 Fedora Update System 2010-04-25 14:02:00 UTC
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13

Comment 6 Vincent Danen 2010-04-26 19:26:31 UTC
*** Bug 585402 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2010-04-26 23:28:19 UTC
cacti-0.8.7e-4.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4

Comment 8 Fedora Update System 2010-04-27 02:17:50 UTC
cacti-0.8.7e-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11

Comment 9 Fedora Update System 2010-04-27 02:31:05 UTC
cacti-0.8.7e-4.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12

Comment 10 Matt Hyclak 2010-04-29 17:58:48 UTC
This update didn't break anything on our test system. I can't seem to find a way to really test the vulnerability to make sure it's fixed or not.

Thanks,
Matt

Comment 11 Vincent Danen 2010-04-29 19:57:20 UTC
Yeah, I don't have a good testcase here either.  The advisory report to full-disclosure had an example but I can't seem to make it do anything creative.  I think we have to trust that upstream did the right thing here.

Comment 12 Matt Hyclak 2010-05-12 12:36:44 UTC
Is this going to get pushed for EL5? I only see EL4 and FC11-13.

Comment 13 Fedora Update System 2010-05-18 21:59:10 UTC
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Vincent Danen 2010-08-17 20:08:50 UTC
(In reply to comment #12)
> Is this going to get pushed for EL5? I only see EL4 and FC11-13.

This was addressed in https://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el5


Note You need to log in before you can comment on or make changes to this bug.