For Immediate Consideration - SECURITY PATCH

Important information about Cacti developments that all users should be interested in.

Moderators: Developers, Moderators

Post Reply
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

For Immediate Consideration - SECURITY PATCH

Post by rony »

It has recently been reported that there are remote execution
vulnerabilities in cmd.php and other Cacti command line utilities that can
be executed from the web server.

The following versions have patches available to resolve this issue:

0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i
0.8.6h - http://www.cacti.net/download_patches.p ... ion=0.8.6h


Forum post concerning this exploit:
http://forums.cacti.net/viewtopic.php?t=18846
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
egarnel
Cacti Pro User
Posts: 708
Joined: Thu Nov 21, 2002 8:55 am
Location: Austin, TX

Post by egarnel »

It seems to fail on the modified poller.php when using the 1 minute version from http://forums.cacti.net/viewtopic.php?t=16482

contents of poller.php.rej

Code: Select all

***************
*** 26,32 ****
  */

  /* do NOT run this script through a web browser */
- if (!isset($_SERVER["argv"][0])) {
        die("<br><strong>This script is only meant to run at the command line.</strong>");
  }

--- 26,32 ----
  */

  /* do NOT run this script through a web browser */
+ if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD'])  || isset($_SERVER['REMOTE_ADDR'])) {
        die("<br><strong>This script is only meant to run at the command line.</strong>");
  }
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

The patches did introduce a problem with the Timespan Selector. The attached file will remedy this problem.

TheWitness
Attachments
inc_timespan_selector.zip
(1.61 KiB) Downloaded 707 times
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
duckeo
Posts: 9
Joined: Thu Feb 16, 2006 8:58 pm

Post by duckeo »

Thanks guys, worked well for me on 0.8.6h from a debian installed package.
dagonet
Cacti User
Posts: 90
Joined: Sat Oct 29, 2005 4:05 pm
Location: Wuerzburg

Post by dagonet »

Hello Community,

we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.

Dagonet
jordon
Posts: 20
Joined: Mon Nov 27, 2006 2:58 am

Post by jordon »

If one would download the 0.8.6i would it be patched with these patches already?

As a note: I've been checking out the site for an updated cacti version with the security patches since reading about the exploit in secunia, thinking an update fixing multiple security flaws would certainly get a version letter increase from 0.8.6i to 0.8.6j

Today finally noticed there's a thread about it on the board with link to separate page with patches. So imho, would be a good idea to add some kind of notice about it to the main page.
soloslinger
Posts: 32
Joined: Fri Jan 19, 2007 2:11 pm

Post by soloslinger »

Do I run these on my box in order to patch it or do I replace the corresponding scripts with this?

0.8.6i - http://www.cacti.net/download_patches.p ... ion=0.8.6i


soloslinger
WimanX
Posts: 4
Joined: Wed Jan 17, 2007 3:57 am

Post by WimanX »

dagonet wrote:Hello Community,

we should consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.
Dagonet
Superb suggestion

i did a supereasy installation with fedora5
yum -y install mod_security

edited the conf file to support protection against sql and some other small pre-written rules..
works like a charm
User avatar
egarnel
Cacti Pro User
Posts: 708
Joined: Thu Nov 21, 2002 8:55 am
Location: Austin, TX

Post by egarnel »

mod_security does not seem to be in the default Centos repos.

Here is a link for it
http://centos.karan.org/el4/extras/stab ... l4.kb.html

It is from Karanbir Singh's website. He is one of the CentOS team members
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
JJX
Cacti User
Posts: 402
Joined: Thu Oct 06, 2005 5:03 am

Post by JJX »

Yesterday someone exploit my cacti 0.8.6i installation.
I havent see these patches :(

The attacker was trying to download remotely a script and run it.
Last edited by JJX on Sun Feb 24, 2013 6:14 pm, edited 2 times in total.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

:(
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
pva
Posts: 26
Joined: Fri Jan 26, 2007 2:06 pm

Post by pva »

Oh, just missed the date. Sorry.
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests