Cacti security issues

From: Knights of the Routing Table (knights@knights-of-the-routing-table.org)
Date: Tue Sep 03 2002 - 14:06:22 PDT

Next message: Martin Schulze: "[SECURITY] [DSA 161-1] New Mantis package fixes privilege escalation"

Previous message: Daniel Ahlberg: "GLSA: scrollkeeper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Name: Cacti security issues
Original: http://www.knights-of-the-routing-table.org
          /advisories/krt_001_20020903_cacti.txt


- -[ General info ]-

 As quoted from http://www.rrdtool.org:
 "Cacti's goal is to be a complete frondend to rrdtool, storing all of 
 the necessary information to create graphs and populate them with data
 in a MySQL database".


- -[ Affected ]-

 Any system running Cacti < 0.6.8. For exploitation an username/password
 is needed; the username must have administrator rights.


- -[ Impact ]-

 VERY LOW.
 As mentioned before, administrator rights are needed for exploitation.


- -[ Vendor ]-

 Cacti's homepage can be found at http://www.raxnet.net/products/cacti/.
 Together with Ian Berry the issues were discussed and fixed.
 There will be a patch released soon.


- -[ Description ]-

 Cacti has a few security issues:
 
 o Cacti is not checking its input when performing the rrdtool 'graph' 
   command.
  
   Example:
     In graphs.php, add a new graph (graphs.php?action=edit). In the 
     edit mode, choose a title and choose "$(touch /tmp/touched)" as 
     your "vertical label". Now add this new graph in your graph 
     hierarchy. Open graph_view.php and check out your newly created
     graph (off course, it will fail showing you the picture). Now, if 
     you "ls -l /tmp/touched", you will see that this new file was 
     created.

 o Cacti does not check the file permission of config.php. The file 
   config.php contains a MySQL username and password. The file will 
   be world wide readable in most cases (depending on your umask) and
   thus making it possible for any user to take over the database.

 o Cacti's data input is not checked on it's input. 

   Example:
     In the console mode, choose "Data Input". Here you can insert ANY 
     command as "input string". There is no check on "PATH". 


- -[ Solution ]-

 The best solution is to disable all Cacti logins until the vendor has 
 released a new version of Cacti (upcoming version 0.6.8a is fixed).


- -[ Credits ]-

 Advisory by spantie <spantie@knights-of-the-routing-table.org>.
 Ian Berry <iberryat_private> for the quick response and fixes!

   
- -[ References ]-

 http://www.knights-of-the-routing-table.org
 http://www.raxnet.net/products/cacti/
 http://www.rrdtool.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6
Comment: For info see http://www.gnupg.org

iD8DBQE9dSJRSTSdEkYkA4QRAuRxAKDEuJcHCBRD06XEbp2HQ4NhpUyBRACePyxX
0PddTmnNUqHvsqyQMMZGq7w=
=lzYk
-----END PGP SIGNATURE-----

Next message: Martin Schulze: "[SECURITY] [DSA 161-1] New Mantis package fixes privilege escalation"
Previous message: Daniel Ahlberg: "GLSA: scrollkeeper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 08:52:41 PDT