For Immediate Consideration - SECURITY PATCH
Moderators: Developers, Moderators
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
For Immediate Consideration - SECURITY PATCH
It has recently been reported that there are remote execution
vulnerabilities in cmd.php and other Cacti command line utilities that can
be executed from the web server.
The following versions have patches available to resolve this issue:
0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i
0.8.6h - http://www.cacti.net/download_patches.p ... ion=0.8.6h
Forum post concerning this exploit:
http://forums.cacti.net/viewtopic.php?t=18846
vulnerabilities in cmd.php and other Cacti command line utilities that can
be executed from the web server.
The following versions have patches available to resolve this issue:
0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i
0.8.6h - http://www.cacti.net/download_patches.p ... ion=0.8.6h
Forum post concerning this exploit:
http://forums.cacti.net/viewtopic.php?t=18846
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
It seems to fail on the modified poller.php when using the 1 minute version from http://forums.cacti.net/viewtopic.php?t=16482
contents of poller.php.rej
contents of poller.php.rej
Code: Select all
***************
*** 26,32 ****
*/
/* do NOT run this script through a web browser */
- if (!isset($_SERVER["argv"][0])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
--- 26,32 ----
*/
/* do NOT run this script through a web browser */
+ if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
The patches did introduce a problem with the Timespan Selector. The attached file will remedy this problem.
TheWitness
TheWitness
- Attachments
-
- inc_timespan_selector.zip
- (1.61 KiB) Downloaded 708 times
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Hello Community,
we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet
we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet
If one would download the 0.8.6i would it be patched with these patches already?
As a note: I've been checking out the site for an updated cacti version with the security patches since reading about the exploit in secunia, thinking an update fixing multiple security flaws would certainly get a version letter increase from 0.8.6i to 0.8.6j
Today finally noticed there's a thread about it on the board with link to separate page with patches. So imho, would be a good idea to add some kind of notice about it to the main page.
As a note: I've been checking out the site for an updated cacti version with the security patches since reading about the exploit in secunia, thinking an update fixing multiple security flaws would certainly get a version letter increase from 0.8.6i to 0.8.6j
Today finally noticed there's a thread about it on the board with link to separate page with patches. So imho, would be a good idea to add some kind of notice about it to the main page.
-
- Posts: 32
- Joined: Fri Jan 19, 2007 2:11 pm
Do I run these on my box in order to patch it or do I replace the corresponding scripts with this?
0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i
soloslinger
0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i
soloslinger
Superb suggestiondagonet wrote:Hello Community,
we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet
i did a supereasy installation with fedora5
yum -y install mod_security
edited the conf file to support protection against sql and some other small pre-written rules..
works like a charm
mod_security does not seem to be in the default Centos repos.
Here is a link for it
http://centos.karan.org/el4/extras/stab ... l4.kb.html
It is from Karanbir Singh's website. He is one of the CentOS team members
Here is a link for it
http://centos.karan.org/el4/extras/stab ... l4.kb.html
It is from Karanbir Singh's website. He is one of the CentOS team members
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Who is online
Users browsing this forum: No registered users and 3 guests