Vulnerabilities > CVE-2005-2149 - Unspecified vulnerability in the Cacti Group Cacti

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
the-cacti-group
critical
nessus

Summary

config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks.

Nessus

  • NASL familyCGI abuses
    NASL idCACTI_086F.NASL
    descriptionThe Cacti application running on the remote web server is affected by an authentication bypass vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id18619
    published2005-07-05
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18619
    titleCacti < 0.8.6f Authentication Bypass Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description) {
      script_id(18619);
      script_version("1.21");
      script_cvs_date("Date: 2018/06/14 12:21:47");
    
      script_cve_id("CVE-2005-2148", "CVE-2005-2149");
      script_bugtraq_id(14027, 14130);
    
      script_name(english:"Cacti < 0.8.6f Authentication Bypass Vulnerability");
      script_summary(english:"Attempts to exploit the vulnerability.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is running a PHP application that is affected by
    an authentication bypass vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The Cacti application running on the remote web server is affected by
    an authentication bypass vulnerability.");
      # https://web.archive.org/web/20061130123447/http://www.hardened-php.net/index.30.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a392bde5");
      # https://web.archive.org/web/20061130122909/http://www.hardened-php.net/index.31.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79df242f");
      # https://web.archive.org/web/20060502023335/http://www.hardened-php.net/index.33.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8090490f");
      script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6f.php");
      script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6f or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/05");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
      script_dependencies("cacti_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/cacti");
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    get_install_count(app_name:'cacti', exit_if_zero:TRUE);
    
    port = get_http_port(default:80, php:TRUE);
    install = get_install_from_kb(appname:'cacti', port:port, exit_on_fail:TRUE);
    
    disable_cookiejar();
    dir = install['dir'];
    
      # Try to exploit the authentication bypass flaw.
      r = http_send_recv3(port: port, method: 'GET',
        item: strcat(dir, "/user_admin.php"),
        add_headers: make_array("Cookie", "_SESSION[sess_user_id]=1;no_http_headers=1;"));
      if (isnull(r)) exit(0);
    
      # There's a problem if we get a link for adding users.
      if ('href="user_admin.php?action=user_edit">Add' >< r[2]) {
        security_hole(port);
        exit(0);
      }
    
  • NASL familyCGI abuses
    NASL idCACTI_086F_VCHECK.NASL
    descriptionAccording to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6f. It is, therefore, potentially affected by the following vulnerabilities : - Multiple vulnerabilities exist due to improper input validation in
    last seen2020-06-01
    modified2020-06-02
    plugin id81602
    published2015-03-03
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81602
    titleCacti < 0.8.6f Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description) {
      script_id(81602);
      script_version("1.5");
      script_cvs_date("Date: 2018/06/14 12:21:47");
    
      script_cve_id("CVE-2005-2148", "CVE-2005-2149");
      script_bugtraq_id(14027, 14130);
    
      script_name(english:"Cacti < 0.8.6f Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Cacti.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is running a PHP application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Cacti application
    running on the remote web server is prior to version 0.8.6f. It is,
    therefore, potentially affected by the following vulnerabilities :
    
      - Multiple vulnerabilities exist due to improper input
        validation in 'graph_image.php' and 'graph.php'.
        (CVE-2005-2148)
    
      - A flaw exists in 'config.php' that allows remote
        attackers to set the 'no_http_headers' switch and then
        modify session information in order to gain the
        privileges necessary to perform SQL injection attacks.
        (CVE-2005-2149)");
      # https://web.archive.org/web/20061130123447/http://www.hardened-php.net/index.30.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a392bde5");
      # https://web.archive.org/web/20061130122909/http://www.hardened-php.net/index.31.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79df242f");
      # https://web.archive.org/web/20060502023335/http://www.hardened-php.net/index.33.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8090490f");
      script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6f.php" );
      script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6f or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/03");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("cacti_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("installed_sw/cacti", "www/PHP", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app = 'cacti';
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    port = get_http_port(default:80, php:TRUE);
    
    install = get_single_install(
      app_name : app,
      port     : port,
      exit_if_unknown_ver : TRUE
    );
    
    install_url = build_url(qs:install['path'], port:port);
    version = install['version'];
    
    ver = split(version, sep:'.', keep:FALSE);
    if (
      int(ver[0]) == 0 &&
      (
       int(ver[1]) < 8 ||
       (int(ver[1]) == 8 && ver[2] =~ '^([0-5][a-z]?|6[a-e]?)$')
      )
    )
    {
      set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);
      if (report_verbosity > 0)
      {
        report =  '\n  URL               : ' + install_url +
                  '\n  Installed version : ' + version +
                  '\n  Fixed version     : 0.8.6f' +
                  '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    audit(AUDIT_WEB_APP_NOT_AFFECTED, "Cacti", install_url, version);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-764.NASL
    descriptionSeveral vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2005-1524 Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-1525 Due to missing input validation cacti allows a remote attacker to insert arbitrary SQL statements. - CAN-2005-1526 Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-2148 Stefan Esser discovered that the update for the above mentioned vulnerabilities does not perform proper input validation to protect against common attacks. - CAN-2005-2149 Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection.
    last seen2020-06-01
    modified2020-06-02
    plugin id19258
    published2005-07-21
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19258
    titleDebian DSA-764-1 : cacti - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-764. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19258);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-1524", "CVE-2005-1525", "CVE-2005-1526", "CVE-2005-2148", "CVE-2005-2149");
      script_xref(name:"DSA", value:"764");
    
      script_name(english:"Debian DSA-764-1 : cacti - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in cacti, a round-robin
    database (RRD) tool that helps create graphs from database
    information. The Common Vulnerabilities and Exposures Project
    identifies the following problems :
    
      - CAN-2005-1524
        Maciej Piotr Falkiewicz and an anonymous researcher
        discovered an input validation bug that allows an
        attacker to include arbitrary PHP code from remote sites
        which will allow the execution of arbitrary code on the
        server running cacti.
    
      - CAN-2005-1525
    
        Due to missing input validation cacti allows a remote
        attacker to insert arbitrary SQL statements.
    
      - CAN-2005-1526
    
        Maciej Piotr Falkiewicz discovered an input validation
        bug that allows an attacker to include arbitrary PHP
        code from remote sites which will allow the execution of
        arbitrary code on the server running cacti.
    
      - CAN-2005-2148
    
        Stefan Esser discovered that the update for the above
        mentioned vulnerabilities does not perform proper input
        validation to protect against common attacks.
    
      - CAN-2005-2149
    
        Stefan Esser discovered that the update for
        CAN-2005-1525 allows remote attackers to modify session
        information to gain privileges and disable the use of
        addslashes to protect against SQL injection."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=316590"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315703"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-764"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the cacti package.
    
    For the old stable distribution (woody) these problems have been fixed
    in version 0.6.7-2.5.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 0.8.6c-7sarge2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cacti");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/21");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"cacti", reference:"0.6.7-2.5")) flag++;
    if (deb_check(release:"3.1", prefix:"cacti", reference:"0.8.6c-7sarge2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");