Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login.

It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible.

The remote host is affected by the vulnerability described in GLSA-200803-18 (Cacti: Multiple vulnerabilities)

    The following inputs are not properly sanitized before being processed:
    'view_type' parameter in the file graph.php, 'filter' parameter     in the file graph_view.php, 'action' and 'login_username' parameters in     the file index.php (CVE-2008-0783).
    'local_graph_id' parameter in the file graph.php     (CVE-2008-0784).
    'graph_list' parameter in the file graph_view.php, 'leaf_id' and     'id' parameters in the file tree.php, 'local_graph_id' in the file     graph_xport.php (CVE-2008-0785).
    Furthermore, CRLF injection attack are possible via unspecified vectors     (CVE-2008-0786).
  Impact :

    A remote attacker could exploit these vulnerabilities, leading to path     disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP     response splitting.
  Workaround :

    There is no known workaround at this time.

- XSS vulnerabilities * Path disclosure vulnerabilities *     SQL injection vulnerabilities * HTTP response splitting     vulnerabilities bug#0000855: Unnecessary (and faulty)     DEF generation for CF:AVERAGE bug#0001083: Small visual     fix for Cacti in 'View Cacti Log File' bug#0001089:
    Graph xport modification to increase default rows output     bug#0001091: Poller incorrectly identifies unique hosts     bug#0001093: CLI Scripts bring MySQL down on large     installations bug#0001094: Filtering broken on Data     Sources page bug#0001103: Fix looping poller recache     events bug#0001107: ss_fping.php 100% 'Pkt Loss' does     not work properly bug#0001114: Graphs with no template     and/or no host cause filtering errors on Graph     Management page bug#0001115: View Poller Cache does not     show Data Sources that have no host bug#0001118: Graph     Generation fails if e.g. ifDescr contains some blanks     bug#0001132: TCP/UDP ping port ignored bug#0001133:
    Downed Device Detection: None leads to database errors     bug#0001134: update_host_status handles     ping_availability incorrectly bug#0001143: 'U' not     allowed as min/max RRD value bug#0001158: Deleted user     causes error on user log viewer bug#0001161: Re-assign     duplicate radio button IDs bug#0001164: Add HTML title     attributes for certain pages bug#0001168:
    ALL_DATA_SOURCES_NODUPS includes DUPs?     SIMILAR_DATA_SOURCES_DUPS is available again bug: Cacti     does not guarentee RRA consolidation functions exist in     RRA's bug: Alert on changing logarithmic scaling removed     bug: add_hosts.php did not accept privacy protocol     security: Fix several security vulnerabilities feature:
    show basic RRDtool graph options on Graph Template edit     feature: Add additional logging to Graph Xport feature:
    Add rows dropdown to devices, graphs and data sources     feature: Add device_id and event count to devices     feature: Add ids to devices, graphs and data sources     pages feature: Add database repair utility

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes: * XSS vulnerabilities * Path disclosure vulnerabilities * SQL injection vulnerabilities * HTTP response splitting vulnerabilities bug#0000855: Unnecessary (and faulty) DEF generation for CF:AVERAGE bug#0001083: Small visual fix for Cacti in 'View Cacti Log File' bug#0001089: Graph xport modification to increase default rows output bug#0001091: Poller incorrectly identifies unique hosts bug#0001093:
CLI Scripts bring MySQL down on large installations bug#0001094:
Filtering broken on Data Sources page bug#0001103: Fix looping poller recache events bug#0001107: ss_fping.php 100% 'Pkt Loss' does not work properly bug#0001114: Graphs with no template and/or no host cause filtering errors on Graph Management page bug#0001115: View Poller Cache does not show Data Sources that have no host bug#0001118: Graph Generation fails if e.g. ifDescr contains some blanks bug#0001132:
TCP/UDP ping port ignored bug#0001133: Downed Device Detection: None leads to database errors bug#0001134: update_host_status handles ping_availability incorrectly bug#0001143: 'U' not allowed as min/max RRD value bug#0001158: Deleted user causes error on user log viewer bug#0001161: Re-assign duplicate radio button IDs bug#0001164: Add HTML title attributes for certain pages bug#0001168:
ALL_DATA_SOURCES_NODUPS includes DUPs? SIMILAR_DATA_SOURCES_DUPS is available again bug: Cacti does not guarentee RRA consolidation functions exist in RRA's bug: Alert on changing logarithmic scaling removed bug: add_hosts.php did not accept privacy protocol security:
Fix several security vulnerabilities feature: show basic RRDtool graph options on Graph Template edit feature: Add additional logging to Graph Xport feature: Add rows dropdown to devices, graphs and data sources feature: Add device_id and event count to devices feature: Add ids to devices, graphs and data sources pages feature: Add database repair utility

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running Cacti, a web-based front-end to RRDTool for network graphing.

The version of Cacti installed on the remote host fails to sanitize user input to the 'login_username' parameter before using it in the 'auth_login.php' script to perform database queries.  Regardless of PHP's 'magic_quotes_gpc' setting, an attacker may be able to exploit this issue to manipulate database queries to disclose sensitive information, bypass authentication, or even attack the underlying database.

Note that there are also reportedly several other vulnerabilities associated with this version of Cacti, although Nessus has not checked for them.

ID	Name	Product	Family	Severity
32143	Debian DSA-1569-2 : cacti - insufficient input sanitising	Nessus	Debian Local Security Checks	high
31444	GLSA-200803-18 : Cacti: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
31107	Fedora 7 : cacti-0.8.7b-1.fc7 (2008-1737)	Nessus	Fedora Local Security Checks	high
31104	Fedora 8 : cacti-0.8.7b-1.fc8 (2008-1699)	Nessus	Fedora Local Security Checks	high
31048	Cacti index.php/sql.php Login Action login_username Parameter SQL Injection	Nessus	CGI abuses	high

Detections

Analytics

CVE-2008-0785

high

Tenable Plugins

high

high

high

high

high