Bugzilla – Bug 891916
VUL-0: CVE-2014-5261, CVE-2014-5262: cacti: remote code execution and SQL injection
Last modified: 2015-06-11 09:51:44 UTC
Via oss-security: Date: Tue, 12 Aug 2014 23:07:21 +0200 From: Nico Golde <oss-security+ml@...lde.de> Subject: CVE id request: cacti remote code execution and SQL injection Hi, Mischa Sallé and Wilco Baan Hofman reported a security issue in cacti to Debian when processing arguments passed to the graph settings script: http://svn.cacti.net/viewvc?view=rev&revision=7454 We consider this issue to be public given the public fix. Can someone assign a CVE id? We do have some indication that this was reported in parallel Fedora, in case anyone from RedHat already assigned a CVE id to this. Thanks! Nico References: https://bugzilla.redhat.com/show_bug.cgi?id=1127165
bugbot adjusting priority
Via oss-security: http://seclists.org/oss-sec/2014/q3/386 > http://svn.cacti.net/viewvc?view=rev&revision=7454 > https://bugzilla.redhat.com/show_bug.cgi?id=1127165 > Since there is no check whether $size is actually a number, only that > it starts with a number ... it's possible to insert commands by adding > a ';' followed by any command. Use CVE-2014-5261 for this issue involving shell metacharacters. > Incomplete and incorrect input parsing leads to ... SQL injection > attack scenarios Use CVE-2014-5262 for the SQL injection.
patch still missing
Already fixed, openSUSE 13.1 and 13.2 are at 0.8.8c via version update.