OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Knights of the Routing Table (knights_at_knights-of-the-routing-table.org)
Date: Tue Sep 03 2002 - 16:06:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Name: Cacti security issues
    Original: http://www.knights-of-the-routing-table.org
              /advisories/krt_001_20020903_cacti.txt

    - -[ General info ]-

     As quoted from http://www.rrdtool.org:
     "Cacti's goal is to be a complete frondend to rrdtool, storing all of
     the necessary information to create graphs and populate them with data
     in a MySQL database".

    - -[ Affected ]-

     Any system running Cacti < 0.6.8. For exploitation an username/password
     is needed; the username must have administrator rights.

    - -[ Impact ]-

     VERY LOW.
     As mentioned before, administrator rights are needed for exploitation.

    - -[ Vendor ]-

     Cacti's homepage can be found at http://www.raxnet.net/products/cacti/.
     Together with Ian Berry the issues were discussed and fixed.
     There will be a patch released soon.

    - -[ Description ]-

     Cacti has a few security issues:
     
     o Cacti is not checking its input when performing the rrdtool 'graph'
       command.
      
       Example:
         In graphs.php, add a new graph (graphs.php?action=edit). In the
         edit mode, choose a title and choose "$(touch /tmp/touched)" as
         your "vertical label". Now add this new graph in your graph
         hierarchy. Open graph_view.php and check out your newly created
         graph (off course, it will fail showing you the picture). Now, if
         you "ls -l /tmp/touched", you will see that this new file was
         created.

     o Cacti does not check the file permission of config.php. The file
       config.php contains a MySQL username and password. The file will
       be world wide readable in most cases (depending on your umask) and
       thus making it possible for any user to take over the database.

     o Cacti's data input is not checked on it's input.

       Example:
         In the console mode, choose "Data Input". Here you can insert ANY
         command as "input string". There is no check on "PATH".

    - -[ Solution ]-

     The best solution is to disable all Cacti logins until the vendor has
     released a new version of Cacti (upcoming version 0.6.8a is fixed).

    - -[ Credits ]-

     Advisory by spantie <spantieknights-of-the-routing-table.org>.
     Ian Berry <iberryraxnet.net> for the quick response and fixes!

       
    - -[ References ]-

     http://www.knights-of-the-routing-table.org
     http://www.raxnet.net/products/cacti/
     http://www.rrdtool.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6
    Comment: For info see http://www.gnupg.org

    iD8DBQE9dSJRSTSdEkYkA4QRAuRxAKDEuJcHCBRD06XEbp2HQ4NhpUyBRACePyxX
    0PddTmnNUqHvsqyQMMZGq7w=
    =lzYk
    -----END PGP SIGNATURE-----