Cacti upstream has released: [1] http://www.cacti.net/release_notes_0_8_7f.php latest v0.8.7 version, addressing three security flaws: [A], MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability [2] http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html [3] http://www.vupen.com/english/advisories/2010/1204 Credit: The vulnerability was discovered by Stefan Esser as part of the SQL Injection Marathon. Upstream changeset: [4] http://svn.cacti.net/viewvc?view=rev&revision=5920 [B], Cross-site scripting issues reported by VUPEN Security (http://www.vupen.com) [5] http://www.vupen.com/english/advisories/2010/1203 Credit: Vulnerabilities reported by Mohammed Boumediane (VUPEN Security). Upstream changeset: [6] http://svn.cacti.net/viewvc?view=rev&revision=5901 [C], SQL injection and shell escaping issues reported by Bonsai Information Security (http://www.bonsai-sec.com) [7] http://www.bonsai-sec.com/blog/index.php/using-grep-to-find-0days/ [8] http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php Credit: This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ) Upstream changeset: [9] http://svn.cacti.net/viewvc?view=rev&revision=5747 If a logged Cacti user was tricked into visiting a specially-crafted Web page, it could lead to: i, unauthorized arbitrary database data dislosure (vulnerability [A], from [2]), ii, unauthorized arbitrary scripting code execution (vulnerability [B], from [5]), iii, execution of unintended commands or accessing unauthorized data. (vulnerability [C], from [8]). CVE Request: [10] http://www.openwall.com/lists/oss-security/2010/05/24/1
Vulnerabilities [A] and [B] affect the current versions of the cacti package, as shipped with Fedora release of 11 and 12 (flaw [C] is already fixed). Vulnerabilities [A] and [B] affect the current versions of the cacti package, as shipped within EPEL-4 and EPEL-5 repositories (flaw [C] is already fixed). Please fix / rebase.
cacti-0.8.7f-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el5
cacti-0.8.7f-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el4
cacti-0.8.7f-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc11
cacti-0.8.7f-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc12
cacti-0.8.7f-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc13
(In reply to comment #0) > [C], SQL injection and shell escaping issues reported by Bonsai > Information Security (http://www.bonsai-sec.com) ... > Upstream changeset: > [9] http://svn.cacti.net/viewvc?view=rev&revision=5747 That only seems to be a fix for SQL injection issue that is already known as BONSAI-2010-0104 / CVE-2010-1431 (see bug #585401): http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php While BONSAI-2010-0105 is about shell command injection: http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php and is more likely related to the following commits: http://svn.cacti.net/viewvc?view=rev&revision=5778 http://svn.cacti.net/viewvc?view=rev&revision=5782 http://svn.cacti.net/viewvc?view=rev&revision=5784
cacti-0.8.7f-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7f-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7f-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7f-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7f-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Issue [A] is CVE-2010-2092: ============================ SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which bypasses the validation routine. References: [1] http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html [2] http://www.cacti.net/changelog.php Issue [B] is CVE-2010-1644. =========================== Issue [C] (shell command injection) is CVE-2010-1645: ===================================================== References: [3] http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php Proper patches: [4] http://svn.cacti.net/viewvc?view=rev&revision=5778 [5] http://svn.cacti.net/viewvc?view=rev&revision=5782 [6] http://svn.cacti.net/viewvc?view=rev&revision=5784 The SQL injection issue of [C] is BONSAI-2010-0104 / CVE-2010-1431 (see bug #585401).
Cacti upstream warning about regressions in Cacti v0.8.7f and information about public availability of new version, Cacti v0.8.7g, which should address / overcome them (will be available on June the 7-th, 2010): [1] http://forums.cacti.net/viewtopic.php?t=37845
More issue details and public PoCs for CVE-2010-1645 os-command-injection issue (from BONSAI-2010-0105): 8.1 OS Command Injection CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Cacti is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-suplied input. Successful attacks can compromise the affected software and possibly the operating system running Cacti. The vulnerability can be triggered by any user doing: 1) Edit or Create a Device with FQDN ‘NotARealIPAddress;CMD;’ (without single quotes) and Save it. Edit the Device again and reload any data query already created. CMD will be executed with Web Server rights. 2) Edit or Create a Graph Template and use as Vertical Label ‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to Graph Management section and Select it. CMD will be executed with Web Server rights. Note that other properties of a Graph Template might also be affected.
Removing aliases, this needs to be split.
Closing this, each issue has separate bug now (see dependency tree).