For Immediate Consideration - SECURITY PATCH

rony

It has recently been reported that there are remote execution
vulnerabilities in cmd.php and other Cacti command line utilities that can
be executed from the web server.

The following versions have patches available to resolve this issue:

0.8.6i - http://www.cacti.net/download_patches.php?version=0.8.6i
0.8.6h - http://www.cacti.net/download_patches.php?version=0.8.6h

Forum post concerning this exploit:
http://forums.cacti.net/viewtopic.php?t=18846

egarnel · Posted: Wed Jan 10, 2007 9:54 am Post subject:

It seems to fail on the modified poller.php when using the 1 minute version from http://forums.cacti.net/viewtopic.php?t=16482

contents of poller.php.rej

TheWitness · Posted: Thu Jan 11, 2007 11:39 pm Post subject:

The patches did introduce a problem with the Timespan Selector. The attached file will remedy this problem.

TheWitness

duckeo · Joined: 16 Feb 2006 Posts: 9

Thanks guys, worked well for me on 0.8.6h from a debian installed package.

dagonet · Posted: Sat Jan 13, 2007 10:05 am Post subject:

Hello Community,

we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.

Dagonet

jordon · Joined: 27 Nov 2006 Posts: 20

If one would download the 0.8.6i would it be patched with these patches already?

As a note: I've been checking out the site for an updated cacti version with the security patches since reading about the exploit in secunia, thinking an update fixing multiple security flaws would certainly get a version letter increase from 0.8.6i to 0.8.6j

Today finally noticed there's a thread about it on the board with link to separate page with patches. So imho, would be a good idea to add some kind of notice about it to the main page.

soloslinger · Joined: 19 Jan 2007 Posts: 25

Do I run these on my box in order to patch it or do I replace the corresponding scripts with this?

0.8.6i - http://www.cacti.net/download_patches.php?version=0.8.6i

soloslinger

WimanX · Joined: 17 Jan 2007 Posts: 4

egarnel · Posted: Mon Jan 22, 2007 9:51 am Post subject:

mod_security does not seem to be in the default Centos repos.

Here is a link for it
http://centos.karan.org/el4/extras/stable/i386/RPMS/repodata/repoview/mod_security-0-1.9.4-1.el4.kb.html

It is from Karanbir Singh's website. He is one of the CentOS team members

JJX · Cacti User Joined: 06 Oct 2005 Posts: 171

Yesterday someone exploit my cacti 0.8.6i installation.
I havent see these patches

The attacked was trying to download remotely the script and run it.

rony · Posted: Sat Mar 17, 2007 10:38 am Post subject:

pva · Joined: 26 Jan 2007 Posts: 26

Oh, just missed the date. Sorry.