Cacti session security

[da10us]

Hi,

I run the latest stable version (0.8.6i-5.fc5) and when I login as administrator, browse some through the application and copy/paste the URL and open it in another browser (or mail it to a friend) I do not need to give any authentification!!! In other words: When you know the URL you don't need no password....

Is this a known issue??

TIA,

Martijn

[rony]

Viewing graphs or console.

[da10us]

Both... I was logged on as admin, copied the URL, send it to somebody else and he got admin access like that....

[rony]

For some reason, you have your session id in the URL.

PHP Manual - CXLIV. Session Handling Functions

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

[da10us]

Hmmm... Well, I'm no programmer so I turned session.auto_start into 1 and restarted httpd. I still can copy-paste urls into other browser (Firefox / Explorer) but not sure if this should be a new session/cookie. Also not sure if I understand this session matter...

I don't think a session id is in this url: graph_view.php?action=tree&tree_id=3&leaf_id=23&select_first=true

It's a standard Fedora C5 install.

I presume this is not normal behaviour??

[rony]

That is not normal behavior.

[TheWitness]

It's likely that you have granted console access for the guest account. Why don't you first "disable" the Guest account and then try it again.

TheWitness

[gstead]

Hi,

I am a completely new user (0.8.6i on Gentoo) but also saw this behavior today. When I send URLs to friends, those people can browse my graphs with no problem.

The URLs in question come from graph.php and are similar to this:

mysite.com/cacti/graph.php?local_graph_id=17&rra_id=all
or
mysite.com/cacti/graph_view.php?action=preview

URLs from other php files prompt the user to login, e.g.:

mysite.com/cacti/user_admin.php?action=user_edit&id=3

Except for changing the admin and guest passwords, I do not believe I made any user permission changes. My guest account has 'Console Access' disabled unchecked.

I had a quick look at the PHP files in question and noticed that graph.php and graph_view.php contain an extra line near the top:

Code: Select all

$guest_account = true;

After commenting out this line, users could no longer casually view graphs without being prompted to login. Unfortunately, guests were prompted to login repeatedly!

Perhaps there is an issue here somewhere? Hard to tell. Subversion indicates that line has been there for years...

hope this helps,
-Graham

[gstead]

Thinking about it further, I expect this is a 'feature' and not a bug.

I imagine that most people want their graphs to be viewable by others -- perhaps many others. Because every installation has a guest account, and everyone ships around URLs for graph_view.php or graph.php, then by default anyone can look at those charts. I imagine this is what the "$guest_account = true;" line in the PHP files is for.

On the other hand, if you don't want your graphs open to the world, you can either delete the guest account or adjust its permissions.

Perhaps the most useful thing to understand is that Cacti's default setting is to give access to graphs as if anyone/everyone were logged in as 'guest'.

-Graham

[TheWitness]

You are correct. However, if the guest users can see the console and don't specifically have access to it via user management, that would be a major problem.

TheWitness

[da10us]

To be honest, I didn

[da10us]

To be honest, I didn

[da10us]

Hmmm... don

[da10us]

I think this forum isnt to happy about single ticks... Hope it will work now:

To be honest, I didnt check if I had access to the console... Access to the graps was already shocking enough

I will try it asap.

In the mean time I looked for more security issues around Cacti. I red that it was not sensible to make Cacti publicly available. There was a problem with checking of OS call parameters or something...

I think I will only make it accesible from certain ips

Anyone who has Cacti publicly available and not concerned at all??

TIA

Martijn

[TheWitness]

Every once and a while developers make mistakes. Cacti is not alone in that regard. The important thing with Cacti, is when discovered, we address them right away and have far less that say, what's that other company? Oh yea, Microsoft.

TheWitness