Bugzilla – Bug 958863
VUL-0: CVE-2015-8369: cacti: SQL injection in graph.php
Last modified: 2018-08-03 22:12:23 UTC
CVE-2015-8369 http://bugs.cacti.net/view.php?id=2646 SQL Injection of Cacti(0.8.8f and older versions) was discovered in graph.php [Author info] name:KibodWapon email:changzhao.mao@dbappsecurity.com.cn blog:http://blog.163.com/cmdbat@126 [^] [Vulnerability info] /cacti-0.8.8f/graph.php line 25 validate rra_id after including include_once("./include/top_graph_header.php"); /* set default action */ if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = "view"; } if (!isset($_REQUEST["view_type"])) { $_REQUEST["view_type"] = ""; } $guest_account = true; include("./include/auth.php"); include_once("./lib/rrd.php"); api_plugin_hook_function('graph'); include_once("./lib/html_tree.php"); include_once("./include/top_graph_header.php"); /* ================= input validation ================= */ input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); input_validate_input_number(get_request_var("local_graph_id")); input_validate_input_number(get_request_var("graph_end")); input_validate_input_number(get_request_var("graph_start")); input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); /* ==================================================== */ /cacti-0.8.8f/include/top_graph_header.php line 30 rra_id is not validated /* ================= input validation ================= */ input_validate_input_number(get_request_var_request("local_graph_id")); input_validate_input_number(get_request_var_request("graph_start")); input_validate_input_number(get_request_var_request("graph_end")); /* ==================================================== */ line 158 <?php if ((basename($_SERVER["PHP_SELF"]) == "graph.php") && ($_REQUEST["action"] == "properties")) {?> <tr> <td valign="top" class='cactiTreeNavigationArea' colspan="3"> <?php $graph_data_array["print_source"] = true; /* override: graph start time (unix time) */ if (!empty($_GET["graph_start"])) { $graph_data_array["graph_start"] = get_request_var_request("graph_start"); } /* override: graph end time (unix time) */ if (!empty($_GET["graph_end"])) { $graph_data_array["graph_end"] = get_request_var_request("graph_end"); } print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array)); ?> \cacti-0.8.8f\lib\rrd.php function rrdtool_function_graph line 631 $rra["timespan"] = 86400; }else{ /* get a list of RRAs related to this graph */ $rras = get_associated_rras($local_graph_id); if (sizeof($rras) > 0) { foreach ($rras as $unchosen_rra) { /* the timespan specified in the RRA "timespan" field may not be accurate */ $real_timespan = ($ds_step * $unchosen_rra["steps"] * $unchosen_rra["rows"]); /* make sure the current start/end times fit within each RRA's timespan */ if ( (($graph_data_array["graph_end"] - $graph_data_array["graph_start"]) <= $real_timespan) && ((time() - $graph_data_array["graph_start"]) <= $real_timespan) ) { /* is this RRA better than the already chosen one? */ if ((isset($rra)) && ($unchosen_rra["steps"] < $rra["steps"])) { $rra = $unchosen_rra; }else if (!isset($rra)) { $rra = $unchosen_rra; } } } } if (!isset($rra)) { $rra["rows"] = 600; $rra["steps"] = 1; } } }else{ // sql injection here $rra = db_fetch_row("select timespan,rows,steps from rra where id=$rra_id"); } [Exploit] poc: http://192.168.x.x/cacti/graph.php?action=properties&local_graph_id=1&rra_id=1%20and%20benchmark(20000000%2csha1(1))--%20&view_type=&graph_start=1448274676&graph_end=1448360776 [^] This php file of older version cacti may be accessible anonymously according to the cases I found from the internet. Latest version cacti may require normal user privilege.
bugbot adjusting priority
Patch available http://svn.cacti.net/viewvc?view=rev&revision=7767 Please submit.
Looks like catci does not have a clear primary bugowner. I am taking bug 958863, bug 958977, bug 958977 and will submit unless someone else takes them and beats me to it.
https://build.opensuse.org/request/show/358606 https://build.opensuse.org/request/show/358610 https://build.opensuse.org/request/show/358614 https://build.opensuse.org/request/show/358612
This is an autogenerated message for OBS integration: This bug (958863) was mentioned in https://build.opensuse.org/request/show/358753 42.1 / cacti-spine+cacti https://build.opensuse.org/request/show/358754 13.2 / cacti-spine+cacti https://build.opensuse.org/request/show/358755 13.1 / cacti
all submitted, updates running
Release updates
openSUSE-SU-2016:0437-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 958863,958977,960678,965864,965930 CVE References: CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313 Sources used: openSUSE 13.2 (src): cacti-0.8.8f-4.13.1, cacti-spine-0.8.8f-4.3.1
openSUSE-SU-2016:0438-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 958863,958977,960678,965930 CVE References: CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313 Sources used: openSUSE Leap 42.1 (src): cacti-0.8.8f-8.1, cacti-spine-0.8.8f-5.1
openSUSE-SU-2016:0440-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 958863,958977,960678,965864,965930 CVE References: CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313 Sources used: openSUSE 13.1 (src): cacti-0.8.8f-17.1
This is an autogenerated message for OBS integration: This bug (958863) was mentioned in https://build.opensuse.org/request/show/625957 Backports:SLE-12 / cacti
openSUSE-OU-2018:2194-1: An update that fixes 33 vulnerabilities is now available. Category: optional (low) Bug References: 022564,1047512,1048102,1050950,1051633,1054390,1054742,1067163,1067164,1067166,1068028,1101024,1101139,837440,862993,867607,870821,872008,934187,937997,958863,958977,960678,965930,971357,974013 CVE References: CVE-2006-6799,CVE-2007-3112,CVE-2007-3113,CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2327,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709,CVE-2014-4000,CVE-2014-4002,CVE-2014-5025,CVE-2014-5026,CVE-2015-4342,CVE-2015-4634,CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313,CVE-2016-3172,CVE-2016-3659,CVE-2017-10970,CVE-2017-11163,CVE-2017-11691,CVE-2017-12065,CVE-2017-12927,CVE-2017-12978,CVE-2017-15194,CVE-2017-16641,CVE-2017-16660,CVE-2017-16661,CVE-2017-16785 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.1.38-2.1