Ad blocker detected: Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker on our website.
I was just the messenger, but I understand your concern (I am in the same boat as Debian maintainer). Please contact the cacti devs directly if you want to get a statement (or offer help if you can). If you think about it, it is not trivial to fix that CVE as it requires a full revision of the authentication mechanism of cacti, so I am not surprised that it takes longer than anticipated.
Hm, according to the CSFR suggestions, a simple referer check would do as a first step. This "should" be easy to implement. At least faster then the synchronizer token solution suggested ( which would be required to be implemented not only by Cacti but also for each plugin which contains a from ).
I guess this could be done in the main auth file ... let me check.
Here is what I tested out last night on my dev box. I haven't tested every form yet, but it hasn't broken anything at this point.
Basically it buffers the output of every page, and rewrites the forms to include a token automatically. This would work for anyone really concerned about it (I'm personally not, since I don't visit untrusted sites and watch what I click on already as part of general internet security). We would definitely want to go the route of rewriting every form our self in 0.8.9.
cigamit wrote:Here is what I tested out last night on my dev box. I haven't tested every form yet, but it hasn't broken anything at this point.
Hi Cigamit.
Great that you share a solution. What do you envision as a time frame for releasing this more official than as a patch in this forum?
I hate to be a pain, but it looks like this is a generic solution, not something you wrote for Cacti, right? Where did you get it? I.e. what is the license and who is the copyright-holder of this patch?
I am waiting on Tony to evaluate it. He has been working on rewriting every form (which is why it has taken so long). I was reading up on how to prevent CSRF's and one of the provided links took me to http://csrf.htmlpurifier.org/
This was just my quick test to see if I could protect a few of my installations before an official patch came out. I would wait on the official patch for anything beyond trying to protect your own local installs.
cigamit wrote:I am waiting on Tony to evaluate it. He has been working on rewriting every form (which is why it has taken so long).
Another month has passed. What are the opinions of the cacti devs of getting CVE-2014-2327 fixed. I am getting tempted to investigat cigamit's patch for a security update in Debian.
