7.5 - MDVSA-2010:117

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	MDVSA-2010:117	First vendor Publication	2010-06-16
Vendor	Mandriva	Last vendor Modification	2010-06-16
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been discovered and corrected in cacti:

SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which bypasses the validation routine (CVE-2010-2092).

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:117

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11696

Oval ID:	oval:org.mitre.oval:def:11696
Title:	DSA-2060 cacti -- insufficient input sanitisation
Description:	Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value.
Family:	unix	Class:	patch
Reference(s):	DSA-2060 CVE-2010-2092	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	cacti
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND cacti is earlier than 0.8.7b-2.1+lenny3

Definition Id: oval:org.mitre.oval:def:13352

Oval ID:	oval:org.mitre.oval:def:13352
Title:	DSA-2060-1 cacti -- insufficient input sanitisation
Description:	Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value. For the stable distribution, this problem has been fixed in version 0.8.7b-2.1+lenny3. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 0.8.7e-4. We recommend that you upgrade your cacti packages.
Family:	unix	Class:	patch
Reference(s):	DSA-2060-1 CVE-2010-2092	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	cacti
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND cacti DPKG is earlier than 0.8.7b-2.1+lenny3

CPE : Common Platform Enumeration

Type	Description	Count
Application	Cacti cpe:2.3:a:cacti:cacti:0.8.7i:::::::* cpe:2.3:a:cacti:cacti:0.8.7h:::::::* cpe:2.3:a:cacti:cacti:0.8.7g:::::::* cpe:2.3:a:cacti:cacti:0.8.7f:::::::* cpe:2.3:a:cacti:cacti:0.8.7e:::::::* cpe:2.3:a:cacti:cacti:0.8.7d:::::::* cpe:2.3:a:cacti:cacti:0.8.7c:::::::* cpe:2.3:a:cacti:cacti:0.8.7b:::::::* cpe:2.3:a:cacti:cacti:0.8.7a:::::::* cpe:2.3:a:cacti:cacti:0.8.7:::::::* cpe:2.3:a:cacti:cacti:0.8.6k:::::::* cpe:2.3:a:cacti:cacti:0.8.6j:::::::* cpe:2.3:a:cacti:cacti:0.8.6i:::::::* cpe:2.3:a:cacti:cacti:0.8.6h:::::::* cpe:2.3:a:cacti:cacti:0.8.6g:::::::* cpe:2.3:a:cacti:cacti:0.8.6f:::::::* cpe:2.3:a:cacti:cacti:0.8.6e:::::::* cpe:2.3:a:cacti:cacti:0.8.6d:::::::* cpe:2.3:a:cacti:cacti:0.8.6c:::::::* cpe:2.3:a:cacti:cacti:0.8.6b:::::::* cpe:2.3:a:cacti:cacti:0.8.6a:::::::* cpe:2.3:a:cacti:cacti:0.8.6:::::::* cpe:2.3:a:cacti:cacti:0.8.5a:::::::* cpe:2.3:a:cacti:cacti:0.8.5:::::::* cpe:2.3:a:cacti:cacti:0.8.4:::::::* cpe:2.3:a:cacti:cacti:0.8.3a:::::::* cpe:2.3:a:cacti:cacti:0.8.3:::::::* cpe:2.3:a:cacti:cacti:0.8.2a:::::::* cpe:2.3:a:cacti:cacti:0.8.2:::::::* cpe:2.3:a:cacti:cacti:0.8.1:::::::* cpe:2.3:a:cacti:cacti:0.8:::::::* cpe:2.3:a:cacti:cacti:0.6.8a:::::::* cpe:2.3:a:cacti:cacti:0.6.8:::::::* cpe:2.3:a:cacti:cacti:0.6.7:::::::* cpe:2.3:a:cacti:cacti:0.6.6:::::::* cpe:2.3:a:cacti:cacti:0.6.5:::::::* cpe:2.3:a:cacti:cacti:0.6.4:::::::* cpe:2.3:a:cacti:cacti:0.6.3:::::::* cpe:2.3:a:cacti:cacti:0.6.2:::::::* cpe:2.3:a:cacti:cacti:0.6.1:::::::* cpe:2.3:a:cacti:cacti:0.6:::::::* cpe:2.3:a:cacti:cacti:0.5:-:::::: cpe:2.3:a:cacti:cacti:0.5:::::::* cpe:2.3:a:cacti:cacti::::::::	44

OpenVAS Exploits

Date	Description
2010-07-06	Name : Debian Security Advisory DSA 2060-1 (cacti) File : nvt/deb_2060_1.nasl
2010-06-18	Name : Mandriva Update for cacti MDVSA-2010:117 (cacti) File : nvt/gb_mandriva_MDVSA_2010_117.nasl
2010-05-14	Name : Cacti 'rra_id' Parameter SQL Injection Vulnerability File : nvt/gb_cacti_40149.nasl
2010-04-16	Name : Mandriva Update for flashplayer MDVA-2010:117 (flashplayer) File : nvt/gb_mandriva_MDVA_2010_117.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
64964	Cacti graph.php rra_id Parameter SQL Injection Cacti contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'graph.php' script not properly sanitizing user-supplied input to the 'rra_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Description

64964

Cacti graph.php rra_id Parameter SQL Injection

Cacti contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'graph.php' script not properly sanitizing user-supplied input to the 'rra_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Nessus® Vulnerability Scanner

Date	Description
2014-01-22	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-20.nasl - Type : ACT_GATHER_INFO
2010-06-14	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2060.nasl - Type : ACT_GATHER_INFO
2010-05-04	Name : The remote web server is running a PHP application that is affected by multip... File : cacti_087e.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	44
osvdb(s)	1
Openvas Exploit(s)	4
Nessus® Exploit(s)	3

	Related
7.5	CVE-2010-2092
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)