Bug 20211 - cacti new security issues CVE-2014-4000 and CVE-2016-2313
Summary: cacti new security issues CVE-2014-4000 and CVE-2016-2313
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory, feedback, has_procedure
Depends on: 21565 21242
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-30 11:21 CET by David Walser
Modified: 2017-09-06 15:07 CEST (History)
4 users (show)

See Also:
Source RPM: cacti-0.8.8h-1.mga6.src.rpm
CVE:
Status comment: CVE-2014-4000 CVE-2016-2313


Attachments

Description David Walser 2017-01-30 11:21:39 CET
Cacti 1.0.0 has been released on January 29, fixing some security issues:
http://www.cacti.net/release_notes_1_0_0.php

Besides the two CVEs, there's also an "OS Command Injection" bug fixed at least.

Mageia 5 is also affected.
David Walser 2017-01-30 11:21:49 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja van Waes 2017-01-30 12:10:09 CET
Assigning to the registered maintainer

Assignee: bugsquad => luis.daniel.lucio
CC: (none) => marja11

Comment 2 David Walser 2017-03-08 02:39:22 CET
Fedora has issued an advisory for this today (March 7), upgrading to 1.0.4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
Nicolas Lécureuil 2017-04-24 21:54:47 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Status comment: (none) => CVE-2014-4000 CVE-2016-2313

Comment 3 David Walser 2017-07-26 12:37:52 CEST
1.1.14 fixes an XSS issue as well:
https://www.cacti.net/release_notes.php?version=1.1.14
David Walser 2017-08-11 00:37:11 CEST

Depends on: (none) => 21242

Comment 4 David Walser 2017-08-11 00:55:35 CEST
Procedure in bug 13930.  Advisory for upcoming update below.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

PHP Object Injection Vulnerabilities (CVE-2014-4000).

Accessing cacti using a user name not the cacti database fills the log with
database error messages and allows complete access to everything, including the
user administration pages. The bug is in auth_login.php which fails to check
the query actually found any data or not (CVE-2016-2313).

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows
remote anonymous users to inject arbitrary web script or HTML via the id
parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
1.1.12 allows remote authenticated users to inject arbitrary web script or HTML
via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user
profile managment page (auth_profile.php), allowing inject arbitrary web script
or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute
arbitrary code via the avgnan, outlier-start, or outlier-end parameter
(CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
before 1.1.16 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-12066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066
https://github.com/Cacti/cacti/blob/develop/README.md
https://www.cacti.net/changelog.php
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/
http://openwall.com/lists/oss-security/2017/07/27/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.mga5

from cacti-1.1.16-1.mga5.src.rpm

Whiteboard: (none) => has_procedure

Comment 5 David Walser 2017-08-11 01:00:50 CEST
Advisory, procedure, and package list in Comment 4.

Assignee: luis.daniel.lucio => qa-bugs

David Walser 2017-08-18 23:59:33 CEST

Depends on: (none) => 21565

Comment 6 David Walser 2017-08-19 19:23:29 CEST
Package rebuilt with a fix for CVE-2017-12927.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

PHP Object Injection Vulnerabilities (CVE-2014-4000).

Accessing cacti using a user name not the cacti database fills the log with
database error messages and allows complete access to everything, including the
user administration pages. The bug is in auth_login.php which fails to check
the query actually found any data or not (CVE-2016-2313).

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows
remote anonymous users to inject arbitrary web script or HTML via the id
parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
1.1.12 allows remote authenticated users to inject arbitrary web script or HTML
via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user
profile managment page (auth_profile.php), allowing inject arbitrary web script
or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute
arbitrary code via the avgnan, outlier-start, or outlier-end parameter
(CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
before 1.1.16 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-12066).

Cross-site scripting vulnerablity in cacti in spikekill.php via the method
parameter (CVE-2017-12927).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927
https://github.com/Cacti/cacti/blob/develop/README.md
https://www.cacti.net/changelog.php
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/
http://openwall.com/lists/oss-security/2017/07/27/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
http://openwall.com/lists/oss-security/2017/08/18/8
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.1.mga5

from cacti-1.1.16-1.1.mga5.src.rpm
Lewis Smith 2017-08-25 15:49:56 CEST

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure advisory

Comment 7 Lewis Smith 2017-08-25 22:44:20 CEST
Trying M5/64

Having Cacti already installed & basically working, I updated directly to:
 cacti-1.1.16-2.mga5      [Note difference from Comment 6]
and used the system for some time before trying:
 http://localhost/cacti/
which ususally shows its login screen. Not this time. With Firefox, it just left the window blank. With Opera 12, it gave 'not found'.

So I reverted to: cacti-0.8.8f-1.5.mga5
 # urpmi --downgrade cacti
and tried again; that worked.
Updated once again to cacti-1.1.16-2.mga5, and that did *not* work - as indicated above. Setting 'feedback'.

Whiteboard: has_procedure advisory => has_procedure advisory feedback

Comment 8 Herman Viaene 2017-08-27 11:40:54 CEST
Confirm problem with new version. Found following in /var/log/httpd/error.log:
[Sun Aug 27 11:35:51.838542 2017] [:error] [pid 4483] [client 127.0.0.1:49110] PHP Parse error:  syntax error, unexpected ''FATAL: Connection to Cacti da' (T_CONSTANT_ENCAPSED_STRING) in /usr/share/cacti/include/global.php on line 217

CC: (none) => herman.viaene

Comment 9 Lewis Smith 2017-08-27 20:47:14 CEST
(In reply to Herman Viaene from comment #8)
> Confirm problem with new version.
Thanks Herman - and for the better information. I was going to ask on qa-discuss for a verification, as this seemed rather fundamental; no need now.
Comment 10 Samuel Verschelde 2017-09-06 15:07:27 CEST
Moving 'advisory', 'has_procedure' and 'feedback' from whiteboard to keywords now that madb has been updated to handle those keywords.

Whiteboard: has_procedure advisory feedback => (none)
Keywords: (none) => advisory, feedback, has_procedure


Note You need to log in before you can comment on or make changes to this bug.