Bug 586064 - cacti: arbitrary command injection vulnerability
cacti: arbitrary command injection vulnerability
Status: CLOSED DUPLICATE of bug 609115
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100421,reported=20100421,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-26 14:17 EDT by Vincent Danen
Modified: 2010-06-29 09:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-29 09:36:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-04-26 14:17:58 EDT
It was reported [1] that Cacti is vulnerable to arbitrary command injection due to not properly sanitizing user-supplied input.  Specifically, the reported vulnerabilities are:

1) Edit or Create a Device with FQDN \u2018NotARealIPAddress;CMD;\u2019 (without
single quotes) and Save it. Edit the Device again and reload any data
query already created. CMD will be executed with Web Server rights.

2) Edit or Create a Graph Template and use as Vertical Label
'BonsaiSecLabel";CMD; "' (without single quotes) and Save it. Go to
Graph Management section and Select it. CMD will be executed with Web
Server rights. Note that other properties of a Graph Template might
also be affected.

The report indidcates this affects all current releases of Cacti (up to and including .8.7e), however there is no upstream fix for this available yet, nor are there further details available.

[1] http://seclists.org/fulldisclosure/2010/Apr/271
Comment 1 Vincent Danen 2010-04-27 00:16:55 EDT
I can't reproduce this, tried with 0.8.7e-3.fc12.  I've tried variations of the original, but can't seem to get this to actually do anything useful.

/var/log/cacti/cacti.log is full of entries like this (from trying to reproduce):

04/26/2010 05:17:11 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for 172.12.12.12;touch /tmp/test
04/26/2010 05:18:35 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for notarealipaddress;touch /tmp/test
04/26/2010 05:25:55 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca;touch /tmp/test
04/26/2010 05:50:06 PM - CMDPHP: Poller[0] WARNING: UDP Ping Error: gethostbyname failed for google.ca";touch /tmp/test; "

There have been fixes in the past for Cacti to fix this type of vulnerability, so I wonder whether or not this report is genuinely against the new version or perhaps against the older vulnerable versions.  Is anyone else able to reproduce this?

However, this looks like the same kind of issue as CVE-2009-4112 (bug #542985), which indicates:

"Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8."

We had classified that CVE as impact=low; do we want to call this impact=important considering this is a similar type of issue?
Comment 2 Tomas Hoger 2010-06-29 09:36:28 EDT

*** This bug has been marked as a duplicate of bug 609115 ***

Note You need to log in before you can comment on or make changes to this bug.