Re: CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b

[Salvatore Bonaccorso <carnil () debian org>]

Hi Kurt, hi Vincent,

On Wed, Aug 07, 2013 at 11:18:53AM -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/07/2013 10:06 AM, Vincent Danen wrote:
> > Cacti 0.8.8b was released today [1] with a changelog that notes:
> >
> > Cacti 0.8.8b Change Log [...] * security: SQL injection and shell
> > escaping issues
> >
> > It looks like the SQL injection issue is in api_poller.php and 
> > utility.php [2]
> >
> > I think there are two shell escaping issue:
> >
> > 1) snmp.php: Use escapeshellarg() instead of custom escape function
> > for snmp library [3] 2) rrd.php: Properly escape all user input for
> > consumption by rrdtool [4]
> >
> >
> > [1] http://sourceforge.net/mailarchive/message.php?msg_id=31258868 
> > [2] http://svn.cacti.net/viewvc?view=rev&revision=7394 [3]
> > http://svn.cacti.net/viewvc?view=rev&revision=7392 [4]
> > http://svn.cacti.net/viewvc?view=rev&revision=7393
> >
> >
> > Looks like 3 CVEs are needed.
>
> JUST FYI vdanen/myself were emailed off list about some CVE's that may
> have already been assigned to this. Just waiting on that info before
> proceeding.

The Debian Security Team had assigned the following CVEs:

CVE-2013-1434: for the SQL injection issues, fixed by
http://svn.cacti.net/viewvc?view=rev&revision=7394

CVE-2013-1435: for the shell escaping issues, fixed by
http://svn.cacti.net/viewvc?view=rev&revision=7392 and
http://svn.cacti.net/viewvc?view=rev&revision=7393

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature