security fixes for 0.8.8

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
ktdreyer
Posts: 9
Joined: Mon Sep 08, 2008 2:38 am

security fixes for 0.8.8

Post by ktdreyer »

There has been some discussion in the Gentoo and Red Hat Bugzillas regarding two CVEs:
  • CVE-2014-2708 is for the SQL injection issues in graph_xport.php.
  • CVE-2014-2709 is for the shell escaping issues in lib/rrd.php
References:

https://bugs.gentoo.org/show_bug.cgi?id=506356
https://bugzilla.redhat.com/show_bug.cgi?id=1084258

There's no announcement about these on cacti.net, and version 0.8.8b is the latest version that I see available on the Cacti website.

Can we expect a new release of the 0.8.8 branch to resolve these?
paulgevers
Cacti Pro User
Posts: 613
Joined: Tue Aug 29, 2006 4:09 pm
Location: NL

Re: security fixes for 0.8.8

Post by paulgevers »

Please see the official cacti patches page: http://www.cacti.net/download_patches.php

Oh, and I heard there would be a spin of 0.8.8c when the remaining CVE-2014-2327 is fixed (maybe this weekend...).
Maintainer of cacti in Debian (and Ubuntu).
Cacti 1.* is now officially supported on Debian Stretch via Debian backports
FAQ Ubuntu and Debian differences
Generic cacti debugging
ktdreyer
Posts: 9
Joined: Mon Sep 08, 2008 2:38 am

Re: security fixes for 0.8.8

Post by ktdreyer »

Hi Paul, it's been a couple of weeks, and I'm concerned that CVE-2014-2327 is not going to be fixed.
paulgevers
Cacti Pro User
Posts: 613
Joined: Tue Aug 29, 2006 4:09 pm
Location: NL

Re: security fixes for 0.8.8

Post by paulgevers »

I was just the messenger, but I understand your concern (I am in the same boat as Debian maintainer). Please contact the cacti devs directly if you want to get a statement (or offer help if you can). If you think about it, it is not trivial to fix that CVE as it requires a full revision of the authentication mechanism of cacti, so I am not surprised that it takes longer than anticipated.
Maintainer of cacti in Debian (and Ubuntu).
Cacti 1.* is now officially supported on Debian Stretch via Debian backports
FAQ Ubuntu and Debian differences
Generic cacti debugging
User avatar
phalek
Developer
Posts: 2838
Joined: Thu Jan 31, 2008 6:39 am
Location: Kressbronn, Germany
Contact:

Re: security fixes for 0.8.8

Post by phalek »

Hm, according to the CSFR suggestions, a simple referer check would do as a first step. This "should" be easy to implement. At least faster then the synchronizer token solution suggested ( which would be required to be implemented not only by Cacti but also for each plugin which contains a from ).

I guess this could be done in the main auth file ... let me check.
Greetings,
Phalek
---
Need more help ? Read the Cacti documentation or my new Cacti 1.x Book
Need on-site support ? Look here Cacti Workshop
Need professional Cacti support ? Look here CereusService
---
Plugins : CereusReporting
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Re: security fixes for 0.8.8

Post by cigamit »

Here is what I tested out last night on my dev box. I haven't tested every form yet, but it hasn't broken anything at this point.

Basically it buffers the output of every page, and rewrites the forms to include a token automatically. This would work for anyone really concerned about it (I'm personally not, since I don't visit untrusted sites and watch what I click on already as part of general internet security). We would definitely want to go the route of rewriting every form our self in 0.8.9.
Attachments
csrf.patch
(22.34 KiB) Downloaded 177 times
paulgevers
Cacti Pro User
Posts: 613
Joined: Tue Aug 29, 2006 4:09 pm
Location: NL

Re: security fixes for 0.8.8

Post by paulgevers »

cigamit wrote:Here is what I tested out last night on my dev box. I haven't tested every form yet, but it hasn't broken anything at this point.
Hi Cigamit.

Great that you share a solution. What do you envision as a time frame for releasing this more official than as a patch in this forum?

I hate to be a pain, but it looks like this is a generic solution, not something you wrote for Cacti, right? Where did you get it? I.e. what is the license and who is the copyright-holder of this patch?

Paul
Maintainer of cacti in Debian (and Ubuntu).
Cacti 1.* is now officially supported on Debian Stretch via Debian backports
FAQ Ubuntu and Debian differences
Generic cacti debugging
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Re: security fixes for 0.8.8

Post by cigamit »

I am waiting on Tony to evaluate it. He has been working on rewriting every form (which is why it has taken so long). I was reading up on how to prevent CSRF's and one of the provided links took me to
http://csrf.htmlpurifier.org/

It appears to be BSD licensed according to the git repo.
http://repo.or.cz/w/csrf-magic.git

This was just my quick test to see if I could protect a few of my installations before an official patch came out. I would wait on the official patch for anything beyond trying to protect your own local installs.
paulgevers
Cacti Pro User
Posts: 613
Joined: Tue Aug 29, 2006 4:09 pm
Location: NL

Re: security fixes for 0.8.8

Post by paulgevers »

cigamit wrote:I am waiting on Tony to evaluate it. He has been working on rewriting every form (which is why it has taken so long).
Another month has passed. What are the opinions of the cacti devs of getting CVE-2014-2327 fixed. I am getting tempted to investigat cigamit's patch for a security update in Debian.
Maintainer of cacti in Debian (and Ubuntu).
Cacti 1.* is now officially supported on Debian Stretch via Debian backports
FAQ Ubuntu and Debian differences
Generic cacti debugging
paulgevers
Cacti Pro User
Posts: 613
Joined: Tue Aug 29, 2006 4:09 pm
Location: NL

Re: security fixes for 0.8.8

Post by paulgevers »

paulgevers wrote:I am getting tempted to investigate cigamit's patch for a security update in Debian.
I have gone ahead and applied the patch to Debian.
Maintainer of cacti in Debian (and Ubuntu).
Cacti 1.* is now officially supported on Debian Stretch via Debian backports
FAQ Ubuntu and Debian differences
Generic cacti debugging
ktdreyer
Posts: 9
Joined: Mon Sep 08, 2008 2:38 am

Re: security fixes for 0.8.8

Post by ktdreyer »

(I know you know this already Paul, but for the sake of the broader Cacti community...)

There are now patches in SVN for CVE-2014-4002, a cross-site scripting vulnerability.

http://svn.cacti.net/viewvc?view=rev&revision=7451
http://svn.cacti.net/viewvc?view=rev&revision=7452

Looks like we're still waiting on a fix to get committed upstream for the older CSRF vulnerability, CVE-2014-2327.

It would be really nice to see a formal 0.8.8 release to address these.
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests