Bug 585207 - SQL Injection Vulnerability
SQL Injection Vulnerability
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: cacti (Show other bugs)
el5
All Linux
low Severity high
: ---
: ---
Assigned To: Mike McGrath
Fedora Extras Quality Assurance
:
: 585402 (view as bug list)
Depends On:
Blocks: BONSAI-2010-0104/CVE-2010-1431
  Show dependency treegraph
 
Reported: 2010-04-23 08:42 EDT by Matt Hyclak
Modified: 2010-08-17 16:08 EDT (History)
2 users (show)

See Also:
Fixed In Version: cacti-0.8.7e-4.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-18 17:59:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to the spec file (1013 bytes, application/octet-stream)
2010-04-23 08:42 EDT, Matt Hyclak
no flags Details

  None (edit)
Description Matt Hyclak 2010-04-23 08:42:24 EDT
Created attachment 408594 [details]
Patch to the spec file

Description of problem:

SQL Injection Vulnerability in Cacti <= 0.8.7e 

Version-Release number of selected component (if applicable):

0.8.7e-3

How reproducible:

Always

Steps to Reproduce:
1. See http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php
2.
3.
  
Actual results:

SQL injection

Expected results:

No SQL injection

Additional info:

Patch released - http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
Comment 1 Fedora Update System 2010-04-23 10:58:57 EDT
cacti-0.8.7e-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12
Comment 2 Fedora Update System 2010-04-23 10:59:02 EDT
cacti-0.8.7e-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13
Comment 3 Fedora Update System 2010-04-23 10:59:10 EDT
cacti-0.8.7e-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11
Comment 4 Fedora Update System 2010-04-23 11:03:55 EDT
cacti-0.8.7e-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4
Comment 5 Fedora Update System 2010-04-25 10:02:00 EDT
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc13
Comment 6 Vincent Danen 2010-04-26 15:26:31 EDT
*** Bug 585402 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2010-04-26 19:28:19 EDT
cacti-0.8.7e-4.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.el4
Comment 8 Fedora Update System 2010-04-26 22:17:50 EDT
cacti-0.8.7e-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc11
Comment 9 Fedora Update System 2010-04-26 22:31:05 EDT
cacti-0.8.7e-4.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cacti'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/cacti-0.8.7e-4.fc12
Comment 10 Matt Hyclak 2010-04-29 13:58:48 EDT
This update didn't break anything on our test system. I can't seem to find a way to really test the vulnerability to make sure it's fixed or not.

Thanks,
Matt
Comment 11 Vincent Danen 2010-04-29 15:57:20 EDT
Yeah, I don't have a good testcase here either.  The advisory report to full-disclosure had an example but I can't seem to make it do anything creative.  I think we have to trust that upstream did the right thing here.
Comment 12 Matt Hyclak 2010-05-12 08:36:44 EDT
Is this going to get pushed for EL5? I only see EL4 and FC11-13.
Comment 13 Fedora Update System 2010-05-18 17:59:10 EDT
cacti-0.8.7e-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Vincent Danen 2010-08-17 16:08:50 EDT
(In reply to comment #12)
> Is this going to get pushed for EL5? I only see EL4 and FC11-13.

This was addressed in https://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el5

Note You need to log in before you can comment on or make changes to this bug.