Bugzilla – Bug 971357
VUL-0: CVE-2016-3172: cacti: SQL Injection Vulnerability
Last modified: 2018-08-03 22:12:59 UTC
CVE-2016-3172 ========================== Advisory: Cacti SQL Injection Vulnerability Author: Do9gy of Tencent Security Platform Department Affected Version: 0.8.8.g(the latest version & the older versions) ========================== Vulnerability Description ========================== Recetly, I found a SQL Injection Vulnerability in ‘Cacti-0.8.8g' program, Cacti is widely used in many companies. Vulnerable file: /cacti/tree.php: line 208: ========================================================================================================================================== switch ($current_type) { case TREE_ITEM_TYPE_HEADER: $i = 0; /* it's nice to default to the parent sorting style for new items */ if (empty($_GET["id"])) { $default_sorting_type = db_fetch_cell("select sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]); }else{ $default_sorting_type = TREE_ORDERING_NONE; } ========================================================================================================================================== The parameter parent_id is used without any validation. ========================== POC && EXP ========================== 1. Login 2. http://target/cacti-0.8.8g/tree.php?action=item_edit&tree_id=2&parent_id=8%20and%20sleep(1) [^] 3. mysql log: select sort_children_type from graph_tree_items where id=8 and sleep(1) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3172 http://seclists.org/oss-sec/2016/q1/651
This seems to fix it... diff -u tree.php.orig tree.php --- tree.php.orig 2016-03-15 15:15:37.646641203 -0500 +++ tree.php 2016-03-15 15:19:45.966120414 -0500 @@ -153,6 +153,7 @@ /* ================= input validation ================= */ input_validate_input_number(get_request_var("id")); input_validate_input_number(get_request_var("tree_id")); + input_validate_input_number(get_request_var("parent_id")); /* ==================================================== */ if (!empty($_GET["id"])) {
References: http://seclists.org/oss-sec/2016/q1/651 http://bugs.cacti.net/view.php?id=2667
bugbot adjusting priority
Cacti 0.8.8h released. Fix for 0.8.8f: https://build.opensuse.org/request/show/394348
SR#394348 accepted. Maintenance target got moved to project openSUSE:Maintenance:5077
openSUSE-SU-2016:1328-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 971357,974013 CVE References: CVE-2016-3172,CVE-2016-3659 Sources used: openSUSE Leap 42.1 (src): cacti-0.8.8f-11.1 openSUSE 13.2 (src): cacti-0.8.8f-4.16.1
released
This is an autogenerated message for OBS integration: This bug (971357) was mentioned in https://build.opensuse.org/request/show/625957 Backports:SLE-12 / cacti
openSUSE-OU-2018:2194-1: An update that fixes 33 vulnerabilities is now available. Category: optional (low) Bug References: 022564,1047512,1048102,1050950,1051633,1054390,1054742,1067163,1067164,1067166,1068028,1101024,1101139,837440,862993,867607,870821,872008,934187,937997,958863,958977,960678,965930,971357,974013 CVE References: CVE-2006-6799,CVE-2007-3112,CVE-2007-3113,CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2327,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709,CVE-2014-4000,CVE-2014-4002,CVE-2014-5025,CVE-2014-5026,CVE-2015-4342,CVE-2015-4634,CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313,CVE-2016-3172,CVE-2016-3659,CVE-2017-10970,CVE-2017-11163,CVE-2017-11691,CVE-2017-12065,CVE-2017-12927,CVE-2017-12978,CVE-2017-15194,CVE-2017-16641,CVE-2017-16660,CVE-2017-16661,CVE-2017-16785 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.1.38-2.1