Vulnerabilities > CVE-2008-0785 - SQL Injection vulnerability in Cacti

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cacti
CWE-89
nessus
exploit available

Summary

Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:

Exploit-Db

  • descriptionCacti. CVE-2008-0785. Webapps exploit for php platform
    idEDB-ID:31159
    last seen2016-02-03
    modified2008-02-12
    published2008-02-12
    reporteraScii
    sourcehttps://www.exploit-db.com/download/31159/
    titleCacti <= 0.8.7 tree.php Multiple Parameter SQL Injection
  • descriptionCacti 0.8.7 graph_view.php graph_list Parameter SQL Injection. CVE-2008-0785. Webapps exploit for php platform
    idEDB-ID:31156
    last seen2016-02-03
    modified2008-02-12
    published2008-02-12
    reporteraScii
    sourcehttps://www.exploit-db.com/download/31156/
    titleCacti <= 0.8.7 graph_view.php graph_list Parameter SQL Injection
  • descriptionCacti 0.8.7 graph_xport.php local_graph_id Parameter SQL Injection. CVE-2008-0785. Webapps exploit for php platform
    idEDB-ID:31160
    last seen2016-02-03
    modified2008-02-12
    published2008-02-12
    reporteraScii
    sourcehttps://www.exploit-db.com/download/31160/
    titleCacti <= 0.8.7 graph_xport.php local_graph_id Parameter SQL Injection
  • descriptionCacti 0.8.7 index.php/sql.php Login Action login_username Parameter SQL Injection. CVE-2008-0785. Webapps exploit for php platform
    idEDB-ID:31161
    last seen2016-02-03
    modified2008-02-12
    published2008-02-12
    reporteraScii
    sourcehttps://www.exploit-db.com/download/31161/
    titleCacti <= 0.8.7 index.php/sql.php Login Action login_username Parameter SQL Injection

Nessus

  • NASL familyCGI abuses
    NASL idCACTI_LOGIN_USERNAME_SQL_INJECTION.NASL
    descriptionThe remote host is running Cacti, a web-based front-end to RRDTool for network graphing. The version of Cacti installed on the remote host fails to sanitize user input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id31048
    published2008-02-13
    reporterThis script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31048
    titleCacti index.php/sql.php Login Action login_username Parameter SQL Injection
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31048);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/28 22:47:41");
    
      script_cve_id("CVE-2008-0785");
      script_bugtraq_id(27749);
    
      script_name(english:"Cacti index.php/sql.php Login Action login_username Parameter SQL Injection");
      script_summary(english:"Tries to manipulate a SQL query");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP script that is susceptible to a
    SQL injection attack." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running Cacti, a web-based front-end to RRDTool for
    network graphing.
    
    The version of Cacti installed on the remote host fails to sanitize
    user input to the 'login_username' parameter before using it in the
    'auth_login.php' script to perform database queries.  Regardless of
    PHP's 'magic_quotes_gpc' setting, an attacker may be able to exploit
    this issue to manipulate database queries to disclose sensitive
    information, bypass authentication, or even attack the underlying
    database.
    
    Note that there are also reportedly several other vulnerabilities
    associated with this version of Cacti, although Nessus has not checked
    for them." );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/160");
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/488013/30/0/threaded" );
     script_set_attribute(attribute:"see_also", value:"http://forums.cacti.net/about25749.html" );
     script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.7b / 0.8.6k or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_cwe_id(89);
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/13");
    
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cacti_detect.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/cacti");
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("url_func.inc");
    include("webapp_func.inc");
    
    
    port = get_http_port(default:80, php:TRUE);
    install = get_install_from_kb(appname:'cacti', port:port, exit_on_fail:TRUE);
    dir = install['dir'];
    
      # Make sure the script exists.
      url = string(dir, "/index.php/sql.php?action=login");
    
      r = http_send_recv3(method:"GET",item:url, port:port);
      if (isnull(r)) exit(0);
      res = r[2];
    
      # If so...
      if ("<title>Login to Cacti" >< res)
      {
        exploit = string(unixtime(), "' OR 1=1#");
        postdata = string("login_username=", urlencode(str:exploit));
    
        r = http_send_recv3(method: "POST", item: url, port: port,
          content_type:"application/x-www-form-urlencoded",
          data: postdata);
        if (isnull(r)) exit(0);
    
        # There's a problem if we get a 302 response code.
        if (
          egrep(pattern:"^HTTP/[^ ]+ 302 ", string:r[0]) &&
          egrep(pattern:"^Location: +index\.php", string:r[1])
        )
        {
          security_hole(port);
          set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
          exit(0);
        }
      }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1699.NASL
    descriptionFixes: * XSS vulnerabilities * Path disclosure vulnerabilities * SQL injection vulnerabilities * HTTP response splitting vulnerabilities bug#0000855: Unnecessary (and faulty) DEF generation for CF:AVERAGE bug#0001083: Small visual fix for Cacti in
    last seen2020-06-01
    modified2020-06-02
    plugin id31104
    published2008-02-18
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31104
    titleFedora 8 : cacti-0.8.7b-1.fc8 (2008-1699)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-1699.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31104);
      script_version ("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-0783", "CVE-2008-0784", "CVE-2008-0785", "CVE-2008-0786");
      script_bugtraq_id(27749);
      script_xref(name:"FEDORA", value:"2008-1699");
    
      script_name(english:"Fedora 8 : cacti-0.8.7b-1.fc8 (2008-1699)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fixes: * XSS vulnerabilities * Path disclosure vulnerabilities * SQL
    injection vulnerabilities * HTTP response splitting vulnerabilities
    bug#0000855: Unnecessary (and faulty) DEF generation for CF:AVERAGE
    bug#0001083: Small visual fix for Cacti in 'View Cacti Log File'
    bug#0001089: Graph xport modification to increase default rows output
    bug#0001091: Poller incorrectly identifies unique hosts bug#0001093:
    CLI Scripts bring MySQL down on large installations bug#0001094:
    Filtering broken on Data Sources page bug#0001103: Fix looping poller
    recache events bug#0001107: ss_fping.php 100% 'Pkt Loss' does not work
    properly bug#0001114: Graphs with no template and/or no host cause
    filtering errors on Graph Management page bug#0001115: View Poller
    Cache does not show Data Sources that have no host bug#0001118: Graph
    Generation fails if e.g. ifDescr contains some blanks bug#0001132:
    TCP/UDP ping port ignored bug#0001133: Downed Device Detection: None
    leads to database errors bug#0001134: update_host_status handles
    ping_availability incorrectly bug#0001143: 'U' not allowed as min/max
    RRD value bug#0001158: Deleted user causes error on user log viewer
    bug#0001161: Re-assign duplicate radio button IDs bug#0001164: Add
    HTML title attributes for certain pages bug#0001168:
    ALL_DATA_SOURCES_NODUPS includes DUPs? SIMILAR_DATA_SOURCES_DUPS is
    available again bug: Cacti does not guarentee RRA consolidation
    functions exist in RRA's bug: Alert on changing logarithmic scaling
    removed bug: add_hosts.php did not accept privacy protocol security:
    Fix several security vulnerabilities feature: show basic RRDtool graph
    options on Graph Template edit feature: Add additional logging to
    Graph Xport feature: Add rows dropdown to devices, graphs and data
    sources feature: Add device_id and event count to devices feature: Add
    ids to devices, graphs and data sources pages feature: Add database
    repair utility
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=432758"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-February/007951.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3090b9fb"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cacti package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(79, 89, 94, 200);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cacti");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC8", reference:"cacti-0.8.7b-1.fc8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cacti");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200803-18.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200803-18 (Cacti: Multiple vulnerabilities) The following inputs are not properly sanitized before being processed:
    last seen2020-06-01
    modified2020-06-02
    plugin id31444
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31444
    titleGLSA-200803-18 : Cacti: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200803-18.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31444);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2008-0783", "CVE-2008-0784", "CVE-2008-0785", "CVE-2008-0786");
      script_xref(name:"GLSA", value:"200803-18");
    
      script_name(english:"GLSA-200803-18 : Cacti: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200803-18
    (Cacti: Multiple vulnerabilities)
    
        The following inputs are not properly sanitized before being processed:
        'view_type' parameter in the file graph.php, 'filter' parameter
        in the file graph_view.php, 'action' and 'login_username' parameters in
        the file index.php (CVE-2008-0783).
        'local_graph_id' parameter in the file graph.php
        (CVE-2008-0784).
        'graph_list' parameter in the file graph_view.php, 'leaf_id' and
        'id' parameters in the file tree.php, 'local_graph_id' in the file
        graph_xport.php (CVE-2008-0785).
        Furthermore, CRLF injection attack are possible via unspecified vectors
        (CVE-2008-0786).
      
    Impact :
    
        A remote attacker could exploit these vulnerabilities, leading to path
        disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP
        response splitting.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200803-18"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Cacti users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-analyzer/cacti-0.8.7b'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(79, 89, 94, 200);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:cacti");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-analyzer/cacti", unaffected:make_list("ge 0.8.7b", "rge 0.8.6j-r8"), vulnerable:make_list("lt 0.8.7b"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Cacti");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1737.NASL
    description - XSS vulnerabilities * Path disclosure vulnerabilities * SQL injection vulnerabilities * HTTP response splitting vulnerabilities bug#0000855: Unnecessary (and faulty) DEF generation for CF:AVERAGE bug#0001083: Small visual fix for Cacti in
    last seen2020-06-01
    modified2020-06-02
    plugin id31107
    published2008-02-18
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31107
    titleFedora 7 : cacti-0.8.7b-1.fc7 (2008-1737)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1569.NASL
    descriptionIt was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible.
    last seen2020-06-01
    modified2020-06-02
    plugin id32143
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32143
    titleDebian DSA-1569-2 : cacti - insufficient input sanitising