oss-sec mailing list archives
Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability
From: Tim Zingelman <tez () pkgsrc org>
Date: Tue, 15 Mar 2016 15:27:05 -0500
This seems to fix it... diff -u tree.php.orig tree.php --- tree.php.orig 2016-03-15 15:15:37.646641203 -0500 +++ tree.php 2016-03-15 15:19:45.966120414 -0500 @@ -153,6 +153,7 @@ /* ================= input validation ================= */ input_validate_input_number(get_request_var("id")); input_validate_input_number(get_request_var("tree_id")); + input_validate_input_number(get_request_var("parent_id")); /* ==================================================== */ if (!empty($_GET["id"])) { On Thu, Mar 10, 2016 at 10:06 AM, Paul Gevers <elbrus () debian org> wrote:
Hi I just found the description below about an sql vulnerability in the cacti bug tracker: http://bugs.cacti.net/view.php?id=2667 Can a CVE be assigned for this issue? Thanks ========================== Advisory: Cacti SQL Injection Vulnerability Author: Do9gy of Tencent Security Platform Department Affected Version: 0.8.8.g(the latest version & the older versions) ========================== Vulnerability Description ========================== Recetly, I found a SQL Injection Vulnerability in ‘Cacti-0.8.8g' program, Cacti is widely used in many companies. Vulnerable file: /cacti/tree.php: line 208: ========================================================================================================================================== switch ($current_type) { case TREE_ITEM_TYPE_HEADER: $i = 0; /* it's nice to default to the parent sorting style for new items */ if (empty($_GET["id"])) { $default_sorting_type = db_fetch_cell("select sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]); }else{ $default_sorting_type = TREE_ORDERING_NONE; } ========================================================================================================================================== The parameter parent_id is used without any validation. ========================== POC && EXP ========================== 1. Login 2. http://target/cacti-0.8.8g/tree.php?action=item_edit&tree_id=2&parent_id=8%20and%20sleep(1) [^] 3. mysql log: select sort_children_type from graph_tree_items where id=8 and sleep(1)
Current thread:
- please assign CVE for cacti bug 2667: SQL Injection Vulnerability Paul Gevers (Mar 10)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability Tim Zingelman (Mar 15)
- Re: please assign CVE for cacti bug 2667: SQL Injection Vulnerability cve-assign (Mar 15)