Cacti: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200803-18 / cacti |
| Release Date |
March 10, 2008 |
| Latest Revision |
May 28, 2009: 02 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-analyzer/cacti |
<
0.8.7b |
>=
0.8.7b,
revision >=
0.8.6j-r8 |
All supported architectures
|
Related bugreports:
#209918
Synopsis
Multiple vulnerabilities were discovered in Cacti.
2.
Impact Information
Background
Cacti is a web-based network graphing and reporting tool.
Description
The following inputs are not properly sanitized before being processed:
- "view_type" parameter in the file graph.php, "filter" parameter
in the file graph_view.php, "action" and "login_username" parameters in
the file index.php (CVE-2008-0783).
- "local_graph_id" parameter in the file graph.php
(CVE-2008-0784).
- "graph_list" parameter in the file graph_view.php, "leaf_id" and
"id" parameters in the file tree.php, "local_graph_id" in the file
graph_xport.php (CVE-2008-0785).
Furthermore, CRLF injection attack are possible via unspecified vectors
(CVE-2008-0786).
Impact
A remote attacker could exploit these vulnerabilities, leading to path
disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP
response splitting.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Cacti users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.7b"
|
4.
References
|
