Red Hat Bugzilla – Bug 586064
cacti: arbitrary command injection vulnerability
Last modified: 2010-06-29 09:40:29 EDT
It was reported  that Cacti is vulnerable to arbitrary command injection due to not properly sanitizing user-supplied input. Specifically, the reported vulnerabilities are:
1) Edit or Create a Device with FQDN \u2018NotARealIPAddress;CMD;\u2019 (without
single quotes) and Save it. Edit the Device again and reload any data
query already created. CMD will be executed with Web Server rights.
2) Edit or Create a Graph Template and use as Vertical Label
'BonsaiSecLabel";CMD; "' (without single quotes) and Save it. Go to
Graph Management section and Select it. CMD will be executed with Web
Server rights. Note that other properties of a Graph Template might
also be affected.
The report indidcates this affects all current releases of Cacti (up to and including .8.7e), however there is no upstream fix for this available yet, nor are there further details available.
I can't reproduce this, tried with 0.8.7e-3.fc12. I've tried variations of the original, but can't seem to get this to actually do anything useful.
/var/log/cacti/cacti.log is full of entries like this (from trying to reproduce):
04/26/2010 05:17:11 PM - CMDPHP: Poller WARNING: UDP Ping Error: gethostbyname failed for 220.127.116.11;touch /tmp/test
04/26/2010 05:18:35 PM - CMDPHP: Poller WARNING: UDP Ping Error: gethostbyname failed for notarealipaddress;touch /tmp/test
04/26/2010 05:25:55 PM - CMDPHP: Poller WARNING: UDP Ping Error: gethostbyname failed for google.ca;touch /tmp/test
04/26/2010 05:50:06 PM - CMDPHP: Poller WARNING: UDP Ping Error: gethostbyname failed for google.ca";touch /tmp/test; "
There have been fixes in the past for Cacti to fix this type of vulnerability, so I wonder whether or not this report is genuinely against the new version or perhaps against the older vulnerable versions. Is anyone else able to reproduce this?
However, this looks like the same kind of issue as CVE-2009-4112 (bug #542985), which indicates:
"Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8."
We had classified that CVE as impact=low; do we want to call this impact=important considering this is a similar type of issue?
*** This bug has been marked as a duplicate of bug 609115 ***