[UNIX] Cacti Security Vulnerabilities
From: support@securiteam.comDate: 09/05/02
- Previous message: support@securiteam.com: "[NEWS] Cross-Site Scripting in Aestiva's HTML/OS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 5 Sep 2002 15:32:07 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cacti Security Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.rrdtool.org> Cacti's goal is to be a complete front-end to
rrdtool, storing all of the necessary information to create graphs and
populate them with data in a MySQL database. Multiple security
vulnerabilities have been found in the product, allowing an attacker to
execute arbitrary commands and overwrite system files.
DETAILS
Vulnerable systems:
* Cacti versions prior to 0.6.8 (For exploitation a username/password is
needed; the username must have administrator rights)
Description:
Cacti has a few security issues:
o Cacti does not check its input when performing the rrdtool 'graph'
command.
Example:
In graphs.php, add a new graph (graphs.php?action=edit). In the edit mode,
choose a title and choose "$(touch /tmp/touched)" as your "vertical
label". Now add this new graph in your graph hierarchy. Open
graph_view.php and check out your newly created graph (off course, it will
fail showing you the picture). Now, if you "ls -l /tmp/touched", you will
see that this new file was created.
o Cacti does not check the file permission of config.php. The file
config.php contains the MySQL username and password. The file is world
wide readable in most cases (depending on your umask), thus making it
possible for any user to take over the database.
o Cacti's data input is not checked on its input.
Example:
In the console mode, choose "Data Input". Here you can insert ANY command
as "input string". There is no check on "PATH".
Solution:
The best solution is to disable all Cacti logins until the vendor has
released a new version of Cacti (upcoming version 0.6.8a is fixed).
Vendor response:
Knights of the Routing Table working together with Ian Berry discussed and
fixed these issues. There will be a patch released soon.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:knights@knights-of-the-routing-table.org> spantie of Knights of
the Routing Table.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Cross-Site Scripting in Aestiva's HTML/OS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
