|| ||Knights of the Routing Table <email@example.com>|
|| ||Cacti security issues|
|| ||Tue, 3 Sep 2002 23:06:22 +0200 (CEST)|
-----BEGIN PGP SIGNED MESSAGE-----
Name: Cacti security issues
- -[ General info ]-
As quoted from http://www.rrdtool.org:
"Cacti's goal is to be a complete frondend to rrdtool, storing all of
the necessary information to create graphs and populate them with data
in a MySQL database".
- -[ Affected ]-
Any system running Cacti < 0.6.8. For exploitation an username/password
is needed; the username must have administrator rights.
- -[ Impact ]-
As mentioned before, administrator rights are needed for exploitation.
- -[ Vendor ]-
Cacti's homepage can be found at http://www.raxnet.net/products/cacti/.
Together with Ian Berry the issues were discussed and fixed.
There will be a patch released soon.
- -[ Description ]-
Cacti has a few security issues:
o Cacti is not checking its input when performing the rrdtool 'graph'
In graphs.php, add a new graph (graphs.php?action=edit). In the
edit mode, choose a title and choose "$(touch /tmp/touched)" as
your "vertical label". Now add this new graph in your graph
hierarchy. Open graph_view.php and check out your newly created
graph (off course, it will fail showing you the picture). Now, if
you "ls -l /tmp/touched", you will see that this new file was
o Cacti does not check the file permission of config.php. The file
config.php contains a MySQL username and password. The file will
be world wide readable in most cases (depending on your umask) and
thus making it possible for any user to take over the database.
o Cacti's data input is not checked on it's input.
In the console mode, choose "Data Input". Here you can insert ANY
command as "input string". There is no check on "PATH".
- -[ Solution ]-
The best solution is to disable all Cacti logins until the vendor has
released a new version of Cacti (upcoming version 0.6.8a is fixed).
- -[ Credits ]-
Advisory by spantie <firstname.lastname@example.org>.
Ian Berry <email@example.com> for the quick response and fixes!
- -[ References ]-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
to post comments)