Need help for Cacti Security issues

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
red_garlic
Posts: 3
Joined: Wed Mar 11, 2009 11:10 pm
Location: Kuala Lumpur
Contact:

Need help for Cacti Security issues

Post by red_garlic »

Hi All,

I has installed the Cacti 0.8.7g and will publish to internet but my security team has done some security assessment and found that something to be fix.
Below are the security issues that should be fix and I have no idea how to fix the issues.

1. Authentication Bypass Using SQL Injection
Example: https://IP Address/cacti/index.php (Parameter: login_username)
Remediation: Filter out hazardous characters from user input

2. Cross-Site Scripting
Example: https://IP Address/cacti/graph_settings.php
Remediation: Filter out hazardous characters from user input

3. Phishing Through URL Redirection
Example: https://IP Address/cacti/graph_settings.php (Parameter: referer)
Remediation: Disable redirection to external sites based on parameter values

4. Stored Cross-Site Scripting
Example: https://IP Address/cacti/graph_settings.php
Remediation: Filter out hazardous characters from user input

5. Cross-Site Request Forgery
Example: https://IP Address/cacti/logout.php
Remediation: Decline malicious requests

6. Inadequate Account Lockout
Example: https://IP Address/cacti/index.php (Parameter: login_password)
Remediation: Enforce account lockout after several failed login attempts

7. Phishing Through Frames
Example: https://IP Address/cacti/graph_settings.php (Parameter: num_columns)
Remediation: Filter out hazardous characters from user input

Very appreciate if the cacti experts can help me to fix this security issues.

Thanks
User avatar
Linegod
Developer
Posts: 1626
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

Re: Need help for Cacti Security issues

Post by Linegod »

Submit them as bugs, with more detail.

http://cacti.net/bugs.php
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Re: Need help for Cacti Security issues

Post by rony »

Please make sure that you have all the latest patches applied to your Cacti installation.

I have submitted a bug for these issues. Please update the bug with more information from your security team.

Bug: http://bugs.cacti.net/view.php?id=2062
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
red_garlic
Posts: 3
Joined: Wed Mar 11, 2009 11:10 pm
Location: Kuala Lumpur
Contact:

Re: Need help for Cacti Security issues

Post by red_garlic »

I has applied all the patches during installation.

I will update with more information once I get from my security team.

Thanks
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Re: Need help for Cacti Security issues

Post by rony »

Please put any updates into the bug.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests