Vulnerabilities > CVE-2005-1525 - SQL Injection vulnerability in RaXnet Cacti
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SQL injection vulnerability in config_settings.php for Cacti before 0.8.6e allows remote attackers to execute arbitrary SQL commands via the id parameter.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id CACTI_086E_VCHECK.NASL description According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6e. It is, therefore, potentially affected by the following vulnerabilities : - A PHP file inclusion vulnerability exists in last seen 2020-06-01 modified 2020-06-02 plugin id 81601 published 2015-03-03 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81601 title Cacti < 0.8.6e Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(81601); script_version("1.3"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_cve_id("CVE-2005-1524", "CVE-2005-1525", "CVE-2005-1526"); script_bugtraq_id(14027, 14028, 14030, 14042, 14128, 14129); script_name(english:"Cacti < 0.8.6e Multiple Vulnerabilities"); script_summary(english:"Checks the version of Cacti."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6e. It is, therefore, potentially affected by the following vulnerabilities : - A PHP file inclusion vulnerability exists in 'top_graph_header.php' that allows remote attackers to execute arbitrary PHP code using the 'config[library_path]' parameter. (CVE-2005-1524) - A SQLi vulnerability exists in 'config_settings.php' that allows remote attackers to execute arbitrary SQL commands using the 'id' parameter. (CVE-2005-1525) - A PHP remote file inclusion vulnerability exists in 'config_settings.php' that allows remote attackers to execute arbitrary PHP code using the 'config[include_path]' parameter. (CVE-2005-1526)"); script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6e.php"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/403174/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6e or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Cacti graph_view.php Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/22"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/03"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("cacti_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("installed_sw/cacti", "www/PHP", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = 'cacti'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); install_url = build_url(qs:install['path'], port:port); version = install['version']; ver = split(version, sep:'.', keep:FALSE); if ( int(ver[0]) == 0 && ( int(ver[1]) < 8 || (int(ver[1]) == 8 && ver[2] =~ '^([0-5][a-z]?|6[a-d]?)$') ) ) { set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : 0.8.6e' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } audit(AUDIT_WEB_APP_NOT_AFFECTED, "Cacti", install_url, version);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200506-20.NASL description The remote host is affected by the vulnerability described in GLSA-200506-20 (Cacti: Several vulnerabilities) Cacti fails to properly sanitize input which can lead to SQL injection, authentication bypass as well as PHP file inclusion. Impact : An attacker could potentially exploit the file inclusion to execute arbitrary code with the permissions of the web server. An attacker could exploit these vulnerabilities to bypass authentication or inject SQL queries to gain information from the database. Only systems with register_globals set to last seen 2020-06-01 modified 2020-06-02 plugin id 18547 published 2005-06-23 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18547 title GLSA-200506-20 : Cacti: Several vulnerabilities NASL family CGI abuses NASL id CACTI_086E.NASL description The Cacti application running on the remote web server is affected by a local file inclusion vulnerability due to improperly validating user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 18546 published 2005-06-22 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18546 title Cacti Local File Inclusion Vulnerability NASL family Debian Local Security Checks NASL id DEBIAN_DSA-764.NASL description Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2005-1524 Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-1525 Due to missing input validation cacti allows a remote attacker to insert arbitrary SQL statements. - CAN-2005-1526 Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-2148 Stefan Esser discovered that the update for the above mentioned vulnerabilities does not perform proper input validation to protect against common attacks. - CAN-2005-2149 Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection. last seen 2020-06-01 modified 2020-06-02 plugin id 19258 published 2005-07-21 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19258 title Debian DSA-764-1 : cacti - several vulnerabilities
References
- http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000978
- http://secunia.com/advisories/15490
- http://secunia.com/advisories/15931
- http://securitytracker.com/id?1014252
- http://www.cacti.net/release_notes_0_8_6e.php
- http://www.debian.org/security/2005/dsa-764
- http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
- http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities&flashstatus=true
- http://www.osvdb.org/17424
- http://www.securityfocus.com/bid/14027
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21120