586064 – cacti: arbitrary command injection vulnerability

Bug 586064 - cacti: arbitrary command injection vulnerability

Summary: cacti: arbitrary command injection vulnerability

Keywords:
Status:	CLOSED DUPLICATE of bug 609115
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-26 18:17 UTC by Vincent Danen
Modified:	2019-09-29 12:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-29 13:36:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2010-04-26 18:17:58 UTC

It was reported [1] that Cacti is vulnerable to arbitrary command injection due to not properly sanitizing user-supplied input.  Specifically, the reported vulnerabilities are:

1) Edit or Create a Device with FQDN \u2018NotARealIPAddress;CMD;\u2019 (without
single quotes) and Save it. Edit the Device again and reload any data
query already created. CMD will be executed with Web Server rights.

2) Edit or Create a Graph Template and use as Vertical Label
'BonsaiSecLabel";CMD; "' (without single quotes) and Save it. Go to
Graph Management section and Select it. CMD will be executed with Web
Server rights. Note that other properties of a Graph Template might
also be affected.

The report indidcates this affects all current releases of Cacti (up to and including .8.7e), however there is no upstream fix for this available yet, nor are there further details available.

[1] http://seclists.org/fulldisclosure/2010/Apr/271

Comment 1 Vincent Danen 2010-04-27 04:16:55 UTC

I can't reproduce this, tried with 0.8.7e-3.fc12.  I've tried variations of the original, but can't seem to get this to actually do anything useful.

/var/log/cacti/cacti.log is full of entries like this (from trying to reproduce):

04/26/2010 05:17:11 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for 172.12.12.12;touch /tmp/test
04/26/2010 05:18:35 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for notarealipaddress;touch /tmp/test
04/26/2010 05:25:55 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca;touch /tmp/test
04/26/2010 05:50:06 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca";touch /tmp/test; "

There have been fixes in the past for Cacti to fix this type of vulnerability, so I wonder whether or not this report is genuinely against the new version or perhaps against the older vulnerable versions.  Is anyone else able to reproduce this?

However, this looks like the same kind of issue as CVE-2009-4112 (bug #542985), which indicates:

"Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8."

We had classified that CVE as impact=low; do we want to call this impact=important considering this is a similar type of issue?

Comment 2 Tomas Hoger 2010-06-29 13:36:28 UTC


*** This bug has been marked as a duplicate of bug 609115 ***

Note You need to log in before you can comment on or make changes to this bug.