Debian Bug report logs - #315703
cacti: remote vulnerabilities (CAN 2005-{1524,1525,1526})

version graph

Package: cacti; Maintainer for cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>; Source for cacti is src:cacti.

Reported by: seanius <seanius@debian.org>

Date: Sat, 25 Jun 2005 05:33:10 UTC

Severity: critical

Tags: sarge, security

Found in versions 0.8.6d-1, 0.8.6c-7

Done: sean finney <seanius@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to seanius <seanius@debian.org>:
New Bug report received and forwarded. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: seanius <seanius@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cacti: vulnerable to remote exploit
Date: Sat, 25 Jun 2005 00:59:58 -0400
Package: cacti
Version: 0.8.6d-1
Severity: critical
Tags: sarge
Justification: root security hole

Multiple Vendor Cacti Remote File Inclusion Vulnerability:
 http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities

Multiple Vendor Cacti config_settings.php Remote Code Execution Vulnerability:
 http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities

Multiple Vendor Cacti Multiple SQL Injection Vulnerabilities:
 http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities

note that these can not by themselves gain root access on a system,
though they have been reported to be used to leverage root on sarge
systems.

an update has been sitting on my p.d.o site since last friday, but
there has not yet been a security upload.  i'll send the latest i mailed
to folks as an update to this bug.


	sean

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10-9-amd64-k8
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages cacti depends on:
ii  apache                       1.3.33-6    versatile, high-performance HTTP s
ii  apache-ssl                   1.3.33-6    versatile, high-performance HTTP s
ii  debconf                      1.4.50      Debian configuration management sy
ii  libphp-adodb                 4.52-1      The 'adodb' database abstraction l
ii  logrotate                    3.7-5       Log rotation utility
ii  mysql-client-4.1 [mysql-clie 4.1.11a-4   mysql database client binaries
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cli                     4:4.3.10-15 command-line interpreter for the p
ii  php4-mysql                   4:4.3.10-15 MySQL module for php4
ii  php4-snmp                    4:4.3.10-15 SNMP module for php4
ii  rrdtool                      1.0.49-1    Time-series data storage and displ
ii  snmp                         5.1.2-6.1   NET SNMP (Simple Network Managemen
ii  ucf                          1.18        Update Configuration File: preserv

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 315703@bugs.debian.org
Subject: [seanius@debian.org: updates on cacti package for sarge?]
Date: Sat, 25 Jun 2005 15:21:05 -0400
[Message part 1 (text/plain, inline)]
----- Forwarded message from sean finney <seanius@debian.org> -----

Date: Sat, 25 Jun 2005 00:09:33 -0400
From: sean finney <seanius@debian.org>
To: Fabian Portmann <chupame@chupame.ch>, Laurent Perez <hakimm@gmail.com>,
	Dwayne Rightler <drightler@technicalogic.com>
Subject: updates on cacti package for sarge?

hey folks,

please excuse the group reply, but i've gotten a few of these and
would like to address everything in the same mail.

yes, the version in cacti (0.8.6c-foo) is vulnerable to the exploit
mentioned on cacti's page.  i was contacted about this vulnerability
about 4 or 5 days before the announcement came out.  during this time,
i prepared an upload of the latest (and security-patched) version of
cacti, as well as a sarge version containing the backported security
patches.  

i sent the sarge update to the security team last friday (three days
before the announcement), and since then have been waiting to hear
something from them.  i know joey is not available to help out with this
because he's at linuxtag, and it's my undertstanding that steve is going
to be doing the upload.

any updates steve?

anyway at this point, you have two options:

1 - install the latest version of cacti from unstable
2 - install my patched cacti sarge package, which will be eventually
    superceced by the DSA

if you want to do [2], put the following in your sources.list:

deb http://people.debian.org/~seanius/cacti ./

the version in my p.d.o repository is 0.8.6c-7sarge0, which will be
superceded by 0.8.6c-7sarge1 when the security team does an update.
if you want to do [1], there shouldn't be any problems as it doesn't
bring in any new dependencies etc.

so, at this point i will open a security tagged bug in the BTS to have
some way of tracking the problem, as well as cc'ing the security team.


	sean


- 



----- End forwarded message -----
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Guillaume Rischard <guillaume@stereo.lu>
Cc: team@security.debian.org, 315703@bugs.debian.org, control@bugs.debian.org
Subject: Re: Urgent: cacti CAN-2005-1524 etc. in 0.8.6.d
Date: Sat, 25 Jun 2005 19:17:45 -0400
[Message part 1 (text/plain, inline)]
retitle 315703 cacti: remote vulnerabilities (CAN 2005-{1524,1525,1526})
thanks

hi guillaume,

On Sat, Jun 25, 2005 at 01:45:16PM +0200, Guillaume Rischard wrote:
> The Cacti exploit bug just bit me. I got exploited two times, once  
> from romania and once from spain:

<snip>

> Can I please urge you to get the security team to move the new .deb  
> to testing and stable as quickly as possible to prevent this from  
> happening to other people?

honestly, i don't know what's holding up the process for either of the
versions.  wrt stable, the version on my p.d.o site (see the bug
report[1]) is waiting on the security team for upload.  wrt testing,
i have absolutely no idea why it hasn't already made it in (it looks
like a general problem with package migration into testing?)

in any case, my best recommendation is to take either the package
on my p.d.o site or start tracking cacti from unstable for the time
being.


	sean

ps - thanks for pointing out there are now CAN numbers assigned, i've
     retitled the bug report appropriately.

[1] http://bugs.debian.org/315703

-- 
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to yoann <informatique-nospam@mistur.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #24 received at 315703@bugs.debian.org (full text, mbox):

From: yoann <informatique-nospam@mistur.org>
To: Debian Bug Tracking System <315703@bugs.debian.org>
Subject: Sarge still vulnerable
Date: Sat, 02 Jul 2005 11:15:50 +0200
Package: cacti
Version: 0.8.6c-7
Followup-For: Bug #315703

A full sarge server was compromised by this vulnerability
is the patch will be availbale soon for debian stable ?

thanks

Yoann

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cacti depends on:
ii  apache                       1.3.33-6    versatile, high-performance HTTP s
ii  apache-ssl                   1.3.33-6    versatile, high-performance HTTP s
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  libphp-adodb                 4.52-1      The 'adodb' database abstraction l
ii  logrotate                    3.7-5       Log rotation utility
ii  mysql-client                 4.0.24-10   mysql database client binaries
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cli                     4:4.3.10-15 command-line interpreter for the p
ii  php4-mysql                   4:4.3.10-15 MySQL module for php4
ii  php4-snmp                    4:4.3.10-15 SNMP module for php4
ii  rrdtool                      1.0.49-1    Time-series data storage and displ
ii  snmp                         5.1.2-6.1   NET SNMP (Simple Network Managemen
ii  ucf                          1.17        Update Configuration File: preserv

-- debconf information:
* cacti/username: cacti
  cacti/poller_name: /usr/share/cacti/cmd.php
* cacti/mysql_server: localhost
* cacti/webserver: Apache-SSL
* cacti/save_rootpw: false
* cacti/dump_location: /var/cache/cacti/dumps
  cacti/default-poller: cacti
  cacti/upgrade_warning:
* cacti/no_automagic:
  cacti/no_mysql: false
* cacti/purge_db: true
  cacti/no_mysql_message:
* cacti/database: cacti
  cacti/mismatch:



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #29 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: yoann <informatique-nospam@mistur.org>, 315703@bugs.debian.org
Subject: Re: Bug#315703: Sarge still vulnerable
Date: Sat, 2 Jul 2005 10:14:12 -0400
[Message part 1 (text/plain, inline)]
hi yoann,

On Sat, Jul 02, 2005 at 11:15:50AM +0200, yoann wrote:
> A full sarge server was compromised by this vulnerability
> is the patch will be availbale soon for debian stable ?

it's hard to tell.  unfortunately 3 *more* vulnerabilities were
released yesterday, so i see one of two things happening:

- we release the previous security release, and then you'll be
  waiting for the second security release
- the timer resets and we release both updates at the same time,
  at a later time.

in any case, cacti will not be "safe" for another week by my guesses
(though this is ultimately out of my hands).  in the meantime,
you can grab the debs from my people.debian.org site (which do not yet
fix the second set of vulnerabilities, but check for a version -7sarge2
in the next 24 hours), or grab cacti from unstable, which addresses both
groups of vulnerabilities).


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #34 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 315703@bugs.debian.org, 316590@bugs.debian.org
Cc: team@security.debian.org
Subject: cacti security update, second version available fixing all issues
Date: Sat, 2 Jul 2005 22:29:28 -0400
[Message part 1 (text/plain, inline)]
hi,

i've prepared a new version which addresses both the previous issues
addressed in sarge0 and the new hardened-php reported issues:

deb http://people.debian.org/~seanius/cacti/sarge ./
deb-src http://people.debian.org/~seanius/cacti/sarge ./

version: 0.8.6c-7sarge2

note the sources have changed from the previous location.



	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #39 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: sean finney <seanius@debian.org>
Cc: 315703@bugs.debian.org, 316590@bugs.debian.org, team@security.debian.org
Subject: Re: cacti security update, second version available fixing all issues
Date: Wed, 6 Jul 2005 21:26:18 +0200
[Message part 1 (text/plain, inline)]
sean finney wrote:
> hi,
> 
> i've prepared a new version which addresses both the previous issues
> addressed in sarge0 and the new hardened-php reported issues:
> 
> deb http://people.debian.org/~seanius/cacti/sarge ./
> deb-src http://people.debian.org/~seanius/cacti/sarge ./
> 
> version: 0.8.6c-7sarge2
> 
> note the sources have changed from the previous location.

I have modified the version to reflect the needs for security a bit.
Two more CVE ids have been assigned:

======================================================
Candidate: CAN-2005-2148
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2148
Reference: MISC:http://www.hardened-php.net/advisory-032005.php
Reference: MISC:http://www.hardened-php.net/advisory-042005.php
Reference: MLIST:[cacti-announce] 20050701 Cacti 0.8.6f Released
Reference: URL:http://sourceforge.net/mailarchive/forum.php?forum_id=10360&max_rows=25&style=flat&viewmonth=200507&viewday=1
Reference: CONFIRM:http://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch

Cacti 0.8.6e and earlier does not perform proper input validation to
protect against common attacks, which allows remote attackers to
execute arbitrary commands or SQL by sending a legitimate value in a
POST request or cookie, then specifying the attack string in the URL,
which causes the get_request_var function to return the wrong value in
the $_REQUEST variable, which is cleansed while the original malicious
$_GET value remains unmodified, as demonstrated in (1) graph_image.php
and (2) graph.php.


======================================================
Candidate: CAN-2005-2149
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2149
Reference: MISC:http://www.hardened-php.net/advisory-052005.php
Reference: MLIST:[cacti-announce] 20050701 Cacti 0.8.6f Released
Reference: URL:http://sourceforge.net/mailarchive/forum.php?forum_id=10360&max_rows=25&style=flat&viewmonth=200507&viewday=1
Reference: CONFIRM:http://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch

config.php in Cacti 0.8.6e and earlier allows remote attackers to set
to modify session information to gain privileges and disable the use
of addslashes to protect against SQL injection by setting the
no_http_headers switch.

Please mention them in the sid package as well when you're doing
the next upload.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #44 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>, 316590@bugs.debian.org
Cc: 315703@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#316590: cacti security update, second version available fixing all issues
Date: Wed, 6 Jul 2005 19:02:55 -0400
[Message part 1 (text/plain, inline)]
hi joey,

On Wed, Jul 06, 2005 at 09:26:18PM +0200, Martin Schulze wrote:
> I have modified the version to reflect the needs for security a bit.

okay, is this wrt the broken debian diff previously discussed, or
something else?

> Two more CVE ids have been assigned:

i'll put a mention of them in sid's svn right now.


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #49 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>, 316590@bugs.debian.org
Cc: 315703@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#316590: cacti security update, second version available fixing all issues
Date: Wed, 6 Jul 2005 23:09:38 -0400
[Message part 1 (text/plain, inline)]
hey again..

On Wed, Jul 06, 2005 at 07:02:55PM -0400, sean finney wrote:
> hi joey,
> 
> On Wed, Jul 06, 2005 at 09:26:18PM +0200, Martin Schulze wrote:
> > I have modified the version to reflect the needs for security a bit.
> 
> okay, is this wrt the broken debian diff previously discussed, or
> something else?

fyi, looks like the patch for 7sarge2 includes an errant config.php.orig
file, which can be safely discarded (was probably from my attempts to
massage in the patch)

	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #54 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 315703@bugs.debian.org, 316590@bugs.debian.org
Cc: team@security.debian.org
Subject: woody backport now available for all cacti security issues
Date: Mon, 11 Jul 2005 22:08:35 -0400
[Message part 1 (text/plain, inline)]
another update,

the security release for cacti has been delayed due to complications
backporting the security fix into the version in woody, which is a major
release (and rewrite) behind the versions in sarge and sid.  

joey from the security team provided an initial attempt at backporting
the backport to woody, but unfortunately it was not sufficient to
completely address the vulnerability.  it also did not include fixes for
the second set of vulnerabilities released by the hardened-php project.

having spent more time hacking on it than i'd have liked, i've now
produced a new version of the backport, which i believe should address
all of the relevant security issues.

it can be found at the following uris:

deb http://people.debian.org/~seanius/cacti/woody ./
deb-src http://people.debian.org/~seanius/cacti/woody ./

all this said, i think it should be strongly emphasized that upstream
is no longer supporting the woody version of cacti and does not provide
updates for it, and users should be advised to upgrade to at least the
version in sarge ASAP.  i'm also not convinced that there aren't other
security issues in the woody version, but can at least feel reasonably
comfortable that of the recently published vulnerabilities woody's cacti
should be okay with this new revision.

joey, mike, et al: is there anything else you need from me?


thanks,
	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #59 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 315703@bugs.debian.org, 316590@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: woody backport now available for all cacti security issues
Date: Wed, 13 Jul 2005 18:28:21 +0200
sean finney wrote:
> another update,
> 
> the security release for cacti has been delayed due to complications
> backporting the security fix into the version in woody, which is a major
> release (and rewrite) behind the versions in sarge and sid.  
> 
> joey from the security team provided an initial attempt at backporting
> the backport to woody, but unfortunately it was not sufficient to
> completely address the vulnerability.  it also did not include fixes for
> the second set of vulnerabilities released by the hardened-php project.
> 
> having spent more time hacking on it than i'd have liked, i've now
> produced a new version of the backport, which i believe should address
> all of the relevant security issues.
> 
> it can be found at the following uris:
> 
> deb http://people.debian.org/~seanius/cacti/woody ./
> deb-src http://people.debian.org/~seanius/cacti/woody ./
> 
> all this said, i think it should be strongly emphasized that upstream
> is no longer supporting the woody version of cacti and does not provide
> updates for it, and users should be advised to upgrade to at least the
> version in sarge ASAP.  i'm also not convinced that there aren't other
> security issues in the woody version, but can at least feel reasonably
> comfortable that of the recently published vulnerabilities woody's cacti
> should be okay with this new revision.
> 
> joey, mike, et al: is there anything else you need from me?

I guess we're facing a severe problem here.

Even though you say that my fixes were not sufficient, you have
***removed*** a fair amount of the patches I've applied after
reading the code that uses unsanitised variables.  I now see
that you've placed sanitising into the config file entirely,
would have been nice to note this.

Additionally you seem to be using get_request_var only which
uses the $_GET array, but not the $_REQUEST array, and hence
can be bypassed by POST or cookie input if I am not mistaken.
This was not the case in the version I sent you.

In addition to that you also clutter sanitize.php with sanitising
variables that aren't even used.  That's not ok.

Regards,

	Joey

PS: ... and the distribution needs to be set to oldstable-security

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #64 received at 315703@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 315703@bugs.debian.org, 316590@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: woody backport now available for all cacti security issues
Date: Thu, 14 Jul 2005 11:45:00 -0400
[Message part 1 (text/plain, inline)]
On Wed, Jul 13, 2005 at 06:28:21PM +0200, Martin Schulze wrote:
> I guess we're facing a severe problem here.
> 
> Even though you say that my fixes were not sufficient, you have
> ***removed*** a fair amount of the patches I've applied after
> reading the code that uses unsanitised variables.  I now see
> that you've placed sanitising into the config file entirely,
> would have been nice to note this.

i guess i didn't in the email updating this, but did so in sanitize.php
itself:

/*
 * backported security-related changes from cacti 
 *      by sean finney <seanius@debian.org>
 *
 * to preserve my own sanity, all sanity checks are done in here, which
 * is included by the main configuration, which is included by everything.
 * variables that don't exist will not raise failures, so only in the case
 * that the input exists and is not what it is supposed to be will there
 * be an error.
 */

> Additionally you seem to be using get_request_var only which
> uses the $_GET array, but not the $_REQUEST array, and hence
> can be bypassed by POST or cookie input if I am not mistaken.
> This was not the case in the version I sent you.

the problem with using _REQUEST is that someone could provide a valid
_POST variable, but sneak the malcious content into _GET, which would
then pass a _REQUEST test (assuming order gpc), but if the system uses
_GET it still uses the malicious content.  this is most of the cause of
the second set of advisorires.

however, now that i think about it, since i think most variables in
the woody version of cacti are using register_globals, a variable like
$id will be set in the same order as $_REQUEST, so maybe that isn't a
bad idea.

now that i think about it even more, what would be best is to run the
sanity check on all of the _GET, _POST, _COOKIE variables, and fail
if any of them have bad values.  that would make the patch even
simpler.

> In addition to that you also clutter sanitize.php with sanitising
> variables that aren't even used.  That's not ok.

aren't even used on a specific page or aren't used at all in cacti?  in
the case of the former, it causes no problems (apart from a couple extra
cycles, which i think is OK in the interest of a cleaner patch).  in the
case of the latter, the lines should be removed--though again it doesn't
hurt to have it there.

> PS: ... and the distribution needs to be set to oldstable-security

okay.  so this is what i will do in the next week:

- modify sanitize.php to check all three _FOO arrays for bad values and
  quit out if any of them are bad.
- double check sanitize.php for globally unused variables.
- update the distribution name.


how does that sound?

	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #69 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 315703@bugs.debian.org, 316590@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: woody backport now available for all cacti security issues
Date: Thu, 14 Jul 2005 19:10:30 +0200
Sean Finney wrote:
> i guess i didn't in the email updating this, but did so in sanitize.php
> itself:

Yes, I saw that later.  I hope, my tone wasn't too harsh.

> > Additionally you seem to be using get_request_var only which
> > uses the $_GET array, but not the $_REQUEST array, and hence
> > can be bypassed by POST or cookie input if I am not mistaken.
> > This was not the case in the version I sent you.
> 
> the problem with using _REQUEST is that someone could provide a valid
> _POST variable, but sneak the malcious content into _GET, which would
> then pass a _REQUEST test (assuming order gpc), but if the system uses
> _GET it still uses the malicious content.  this is most of the cause of
> the second set of advisorires.

Yes, but the woody version does not use $_GET *anywhere* except in
the alleged sanitising code you included.  It uses $foo instead of
$_GET["foo"] all the time, which means for me - if I'm not mistaken -
that we should use either $foo or $_REQUEST["foo"] in the sanitising
code.

> however, now that i think about it, since i think most variables in
> the woody version of cacti are using register_globals, a variable like
> $id will be set in the same order as $_REQUEST, so maybe that isn't a
> bad idea.

True.

> now that i think about it even more, what would be best is to run the
> sanity check on all of the _GET, _POST, _COOKIE variables, and fail
> if any of them have bad values.  that would make the patch even
> simpler.

It seems to me that running them on $_REQUEST only is sufficient.  Or
do you know of a possibility that $foo can include something which is
not in $_REQUEST when inserted via GET/POST/cookie/$whatever?

> > In addition to that you also clutter sanitize.php with sanitising
> > variables that aren't even used.  That's not ok.
> 
> aren't even used on a specific page or aren't used at all in cacti?  in

Aren't used at all.

See this for example:

finlandia!joey(pts/15):/src/debian/security/work/cacti/cacti-0.6.7> find -type f|xargs grep cdef_id
./include/sanitize.php:input_validate_input_number(get_request_var("cdef_id"));
finlandia!joey(pts/15):/src/debian/security/work/cacti/cacti-0.6.7>

The only use of $cdef_id is in the sanitising code.  For such cases we
don't need sanitising.

> the case of the former, it causes no problems (apart from a couple extra
> cycles, which i think is OK in the interest of a cleaner patch).  in the

I already accepted that the correction due to its size will be done
centralised and hence not on each page.

> okay.  so this is what i will do in the next week:
> 
> - modify sanitize.php to check all three _FOO arrays for bad values and
>   quit out if any of them are bad.

I'd go for _REQUEST only.

> - double check sanitize.php for globally unused variables.
> - update the distribution name.
> 
> how does that sound?

Good.

However, as I don't like the "next week" part too much, I'll try to
work on the update on my own and send you the diff for comments.
Should reduce the time you need to spend on the issue as well.

Regards,

	Joey

-- 
Computers are not intelligent.  They only think they are.



Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #74 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 315703@bugs.debian.org, 316590@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: woody backport now available for all cacti security issues
Date: Fri, 15 Jul 2005 16:15:22 +0200
[Message part 1 (text/plain, inline)]
Martin Schulze wrote:
> However, as I don't like the "next week" part too much, I'll try to
> work on the update on my own and send you the diff for comments.
> Should reduce the time you need to spend on the issue as well.

Ok, here is an update.

Regards,

	Joey

-- 
Computers are not intelligent.  They only think they are.

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]
[cacti_0.6.7-2.4.diff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #79 received at 315703@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>, 316590@bugs.debian.org
Cc: 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Fri, 15 Jul 2005 11:12:49 -0400
[Message part 1 (text/plain, inline)]
On Thu, Jul 14, 2005 at 07:10:30PM +0200, Martin Schulze wrote:
> Sean Finney wrote:
> > i guess i didn't in the email updating this, but did so in sanitize.php
> > itself:
> 
> Yes, I saw that later.  I hope, my tone wasn't too harsh.

my skin is fairly thick :)

> Yes, but the woody version does not use $_GET *anywhere* except in
> the alleged sanitising code you included.  It uses $foo instead of
> $_GET["foo"] all the time, which means for me - if I'm not mistaken -
> that we should use either $foo or $_REQUEST["foo"] in the sanitising
> code.

yes.  we could either pass the variable names as strings and
dereference them (like $$name), or use $_REQUEST, which i'm
fairly sure will have the same effect.

> > if any of them have bad values.  that would make the patch even
> > simpler.
> 
> It seems to me that running them on $_REQUEST only is sufficient.  Or
> do you know of a possibility that $foo can include something which is
> not in $_REQUEST when inserted via GET/POST/cookie/$whatever?

if the supposition is true that $_REQUEST is set in the same order
as variables set via register_globals, then no further checks would
be necessary.  i'm fairly certain this is the case.

> > how does that sound?
> 
> Good.
> 
> However, as I don't like the "next week" part too much, I'll try to
> work on the update on my own and send you the diff for comments.
> Should reduce the time you need to spend on the issue as well.

okay, that would be appreciated.  i'm really busy in the next 4-5 days
as i'm trying to get my wordly possessions sorted and packed in
preparation for moving out of the country...

On Fri, Jul 15, 2005 at 04:15:22PM +0200, Martin Schulze wrote:
> > However, as I don't like the "next week" part too much, I'll try to
> > work on the update on my own and send you the diff for comments.
> > Should reduce the time you need to spend on the issue as well.
> 
> Ok, here is an update.

i'll try and set some time aside tonight or tomorrow to test, but
it looks good from an initial glance.


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #84 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Mon, 18 Jul 2005 19:21:29 +0200
sean finney wrote:
> On Fri, Jul 15, 2005 at 04:15:22PM +0200, Martin Schulze wrote:
> > > However, as I don't like the "next week" part too much, I'll try to
> > > work on the update on my own and send you the diff for comments.
> > > Should reduce the time you need to spend on the issue as well.
> > 
> > Ok, here is an update.
> 
> i'll try and set some time aside tonight or tomorrow to test, but
> it looks good from an initial glance.

Any outcome?  In other words, any reason not to issue the advisory
and update now?

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #89 received at 315703@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Mon, 18 Jul 2005 13:54:19 -0400
[Message part 1 (text/plain, inline)]
hi,

On Mon, Jul 18, 2005 at 07:21:29PM +0200, Martin Schulze wrote:
> > i'll try and set some time aside tonight or tomorrow to test, but
> > it looks good from an initial glance.
> 
> Any outcome?  In other words, any reason not to issue the advisory
> and update now?

i haven't had a chance to look at it yet, i've been busy packing up
my personal life into boxes the past few days.  i'm flying out to
california today, and will have ample airport/airplane time with my
laptop, so i should have something for you in the next 24 hours.  i'll
not only verify the patch works, but also see if there are any other
variables that we missed which need to be dug up for sanity checking.  


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #94 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Tue, 19 Jul 2005 07:54:31 +0200
Sean Finney wrote:
> hi,
> 
> On Mon, Jul 18, 2005 at 07:21:29PM +0200, Martin Schulze wrote:
> > > i'll try and set some time aside tonight or tomorrow to test, but
> > > it looks good from an initial glance.
> > 
> > Any outcome?  In other words, any reason not to issue the advisory
> > and update now?
> 
> i haven't had a chance to look at it yet, i've been busy packing up
> my personal life into boxes the past few days.  i'm flying out to
> california today, and will have ample airport/airplane time with my
> laptop, so i should have something for you in the next 24 hours.  i'll
> not only verify the patch works, but also see if there are any other
> variables that we missed which need to be dug up for sanity checking.  

Ok, I'll wait.

Regards,

	Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #99 received at 315703@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Tue, 19 Jul 2005 04:17:46 -0400
[Message part 1 (text/plain, inline)]
On Tue, Jul 19, 2005 at 07:54:31AM +0200, Martin Schulze wrote:
> Ok, I'll wait.

so, a 6 hour plane flight later, i've learned 3 things:

1 - there are a number of other variables that also need to be included.
2 - there are a number of calls where variables are indirectly passed
    to mysql_foo functions via other functions (which causes a problem
    for the current sanity checking method)
3 - there is another, ridiculously obvious security vulnerability in
    the woody version.


1 is easy to fix, we can just add on the extra variables to the file.
of the 900 or so calls to mysql_foo functions, i had about 170 left
to look at when my battery crapped out.

2 is trickier.  we could either repeat the process i'm about finished
with wrt mysql_foo for all the functions that pass variables to
mysql_foo, or we could do the sanity checking in the function.  as
the former sounds ugly and even more time consuming i'm going to
side with thte latter. 

what i think i'm going to do is split sanitize.php into sanitize and
sanitize-functions.  sanitize will include_once sanitize-functions,
so then sanitize can be included multiple times (otherwise i believe
that php will bitch about functions being redefined), and i'll just
slip in a line in each mysql-calling function to include sanitize,
and add the variables in said functions to sanitize.php.

as for 3, well... there's a variable, which is stored in a cookie.
the cookie name is cactilogin, and the value is an integer.  want to
guess what it does?  a fix for this shouldn't be too hard, this kind
of info should be stored in the session and not in the cookie.

anyway, i'll have a fair amount of free time tomorrow, but will need
a little sleep first :)


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #104 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Tue, 19 Jul 2005 10:52:43 +0200
[Message part 1 (text/plain, inline)]
Sean Finney wrote:
> On Tue, Jul 19, 2005 at 07:54:31AM +0200, Martin Schulze wrote:
> > Ok, I'll wait.
> 
> so, a 6 hour plane flight later, i've learned 3 things:
> 
> 1 - there are a number of other variables that also need to be included.
> 2 - there are a number of calls where variables are indirectly passed
>     to mysql_foo functions via other functions (which causes a problem
>     for the current sanity checking method)
> 3 - there is another, ridiculously obvious security vulnerability in
>     the woody version.

Thanks a lot for your investigation!

> 1 is easy to fix, we can just add on the extra variables to the file.
> of the 900 or so calls to mysql_foo functions, i had about 170 left
> to look at when my battery crapped out.
> 
> 2 is trickier.  we could either repeat the process i'm about finished
> with wrt mysql_foo for all the functions that pass variables to
> mysql_foo, or we could do the sanity checking in the function.  as
> the former sounds ugly and even more time consuming i'm going to
> side with thte latter. 

The less work and the less intrusive the patch the better.

> what i think i'm going to do is split sanitize.php into sanitize and
> sanitize-functions.  sanitize will include_once sanitize-functions,
> so then sanitize can be included multiple times (otherwise i believe
> that php will bitch about functions being redefined), and i'll just
> slip in a line in each mysql-calling function to include sanitize,
> and add the variables in said functions to sanitize.php.

Sounds good.

> as for 3, well... there's a variable, which is stored in a cookie.
> the cookie name is cactilogin, and the value is an integer.  want to
> guess what it does?  a fix for this shouldn't be too hard, this kind
> of info should be stored in the session and not in the cookie.

Hmm, having the user id stored in a cookie is common practice.
The variable obviously needs to be sanitised as well.

> anyway, i'll have a fair amount of free time tomorrow, but will need
> a little sleep first :)

Ok.  For reference I'm attaching the interdiff between the woody
version and the current updated version on security.debian.org (in
the private queue).

Regards,

	Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #109 received at 315703@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Tue, 19 Jul 2005 22:22:18 -0400
[Message part 1 (text/plain, inline)]
and (hopefully,) a final update...

On Tue, Jul 19, 2005 at 10:52:43AM +0200, Martin Schulze wrote:
> > 2 is trickier.  we could either repeat the process i'm about finished
> > with wrt mysql_foo for all the functions that pass variables to
> > mysql_foo, or we could do the sanity checking in the function.  as
> > the former sounds ugly and even more time consuming i'm going to
> > side with thte latter. 
> 
> The less work and the less intrusive the patch the better.

this is done now.  turns out all the db-querying functions included
a database.php file at the beginning of the function, which then
included config.php, which then included sanitize.php.

> > what i think i'm going to do is split sanitize.php into sanitize and
> > sanitize-functions.  sanitize will include_once sanitize-functions,
> > so then sanitize can be included multiple times (otherwise i believe
> > that php will bitch about functions being redefined), and i'll just
> > slip in a line in each mysql-calling function to include sanitize,
> > and add the variables in said functions to sanitize.php.
> 
> Sounds good.

this is done now.

> > as for 3, well... there's a variable, which is stored in a cookie.
> > the cookie name is cactilogin, and the value is an integer.  want to
> > guess what it does?  a fix for this shouldn't be too hard, this kind
> > of info should be stored in the session and not in the cookie.
> 
> Hmm, having the user id stored in a cookie is common practice.
> The variable obviously needs to be sanitised as well.

the sanitizing functions now check all of get/post/cookie (and global
scoped variables for one of them too because it changes their value),
which after thinking about it seemed safer since there's no penalty for
unset variables other than a few wasted cycles.

as for the id thing, what i'm suspecting is that most/all pages are
accepting the value of that cookie as the logged in userid without making
sure the user is authenticated.  but, i'm willing to keep my head in the
sand and not dig deep enough to find out whether or not this really is
a problem, because i'm just so fucking tired of dealing with this.

anyway, all the goodies are at

http://people.debian.org/~seanius/cacti/woody

and attached is the interdiff between oldstable and my patch (i believe
it also includes the latest changelog changes from you too, might want
to doublecheck that).



	sean

-- 
[0.6.7-2.5.interdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#315703; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #114 received at 315703@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: 316590@bugs.debian.org, 315703@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#316590: woody backport now available for all cacti security issues
Date: Thu, 21 Jul 2005 07:37:41 +0200
Sean Finney wrote:
> this is done now.

Thanks a lot.  I have reviewed it and will use it for the advisory.

Regards,

	Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber



Reply sent to sean finney <seanius@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to seanius <seanius@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #119 received at 315703-close@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 315703-close@bugs.debian.org, 316590-close@bugs.debian.org
Subject: security fixes available in all releases now
Date: Sun, 24 Jul 2005 17:22:34 -0400
[Message part 1 (text/plain, inline)]
so i'm closing these bugs.

-- 
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 10:47:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:47:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.