SecurityTracker: Cacti Input Validation Holes Let Remote Users Inject SQL Commands, Bypass Authentication, and Execute Arbitrary Commands

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Cacti

Vendors: RaXnet

Cacti Input Validation Holes Let Remote Users Inject SQL Commands, Bypass Authentication, and Execute Arbitrary Commands

SecurityTracker Alert ID: 1014361

SecurityTracker URL: http://securitytracker.com/id/1014361

CVE Reference: CVE-2005-2148, CVE-2005-2149 (Links to External Site)

Updated: Jun 24 2008

Original Entry Date: Jul 2 2005

Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 0.8.6f

Description: Several vulnerabilities were reported in Cacti. A remote user can inject SQL commands, bypass authentication, and execute arbitrary commands on the target system.

If register_globals is set to 'on' in the 'php.ini' file, then a remote user can supply a specially crafted request to set the 'sess_user_id' to bypass authentication.

Some previous input validation corrections to prevent SQL injection attacks were not properly implemented. A remote user can supply a specially crafted request to execute SQL commands on the underlying database.

Some previous input validation corrections to prevent remote command execution attacks were not properly implemented. A remote user can supply a specially crafted request to execute arbitrary commands on the target system with the privileges of the target web service..

The Hardened - PHP Project is credited with discovering these vulnerabilities.

The vendor was notified on June 25, 2005.

The original advisories from Stefan Esser are available at:

http://www.hardened-php.net/advisory-052005.php
http://www.hardened-php.net/advisory-042005.php
http://www.hardened-php.net/advisory-032005.php

Impact: A remote user can execute SQL commands on the underlying database.

A remote user can bypass authentication.

A remote user can execute arbitrary commands on the target system with the privileges of the target web service.

Solution: The vendor has issued a fixed version (0.8.6f), available at:

http://www.cacti.net/download_cacti.php

A patch for 0.8.6d is also available:

http://www.cacti.net/downloads/patches/0.8.6d/cacti-0.8.6f_security.patch

Vendor URL: www.raxnet.net/products/cacti/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Sat, 2 Jul 2005 02:58:37 -0400
Subject: http://forums.cacti.net/viewtopic.php?t=8326



> Cacti 0.8.6f has been released after the Hardened-PHP project found some additional 
> security vulnerabilities overlooked by the iDEFENSE group. All users are highly 
> recommended to upgrade to this version as soon as possible.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC