-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.001 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.001 Advisory Published: 2007-01-01 20:55 UTC Issue Id (internal): OpenPKG-SI-20070101.01 Issue First Created: 2007-01-01 Issue Last Modified: 2007-01-01 Issue Revision: 09 ____________________________________________________________________________ Subject Name: Cacti Subject Summary: Network Monitoring and Graphing Frontend Subject Home: http://www.cacti.net/ Subject Versions: * <= 0.8.6i Vulnerability Id: none Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: manipulation of data, arbitrary code execution Description: Three vulnerabilities have been identified and exploited [0] in the network monitoring and graphing frontend Cacti [1], versions up to and including 0.8.6i. They can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems. First, the "cmd.php" script does not properly restrict access to command line usage and is installed in a Web-accessible location. Successful exploitation requires that the PHP variable "register_argc_argv" is enabled, which is the default in the OpenPKG "cacti" package. Second, input passed in the URL to "cmd.php" is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires again that the PHP variable "register_argc_argv" is enabled, which is the default in the OpenPKG "cacti" package. Third, the results from the SQL queries passed by an attacker to "cmd.php" are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands, too. References: [0] http://www.milw0rm.com/exploits/3029 [1] http://www.cacti.net/ ____________________________________________________________________________ Primary Package Name: cacti Primary Package Home: http://openpkg.org/go/package/cacti Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID cacti-0.8.6i-E1.0.1 OpenPKG Community 2-STABLE-20061018 cacti-0.8.6i-2.20070101 OpenPKG Community 2-STABLE cacti-0.8.6i-2.20070101 OpenPKG Community CURRENT cacti-0.8.6i-20070101 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD4DBQFFmWcnZwQuyWG3rjQRAuxRAJQOgbiiUxvdzP49SwiSqOoairz1AJ4v/e0A pMG5BaGeIVcKH7Dnh7PSUQ== =QT1T -----END PGP SIGNATURE-----