what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Deutsche Telekom CERT Advisory DTC-A-20140324-001

Deutsche Telekom CERT Advisory DTC-A-20140324-001
Posted Mar 25, 2014
Authored by Deutsche Telekom CERT

Cacti version 0.8.7g suffers from stored cross site scripting, cross site request forgery, and possible command execution vulnerabilities.

tags | advisory, vulnerability, xss, csrf
advisories | CVE-2014-2326, CVE-2014-2327, CVE-2014-2328
SHA-256 | a60f85a2d28f7d6505f3ecacf176ca9ddaef9f4003db247563075b71d7f4162d

Deutsche Telekom CERT Advisory DTC-A-20140324-001

Change Mirror Download
Deutsche Telekom CERT Advisory [DTC-A-20140324-001] 

Summary:
Three vulnerabilities were found in cacti version 0.8.7g.

The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands

At the moment we have no feedback regarding a patch from the developers.

Homepage: http://www.cacti.net/

Recommendations:
The developer has not fixed all vulnerabilities. Therefore the client systems used to login to Cacti should be isolated from each external network including internet connection over proxy server, to prevent any threats concerning the open vulnerabilities.

Details:
a) application
b) problem
c) CVSS
d) detailed description
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a1) Cacti 0.8.7g [CVE-2014-2326]
b1) Stored Cross-Site Scripting (XSS) (via URL)
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d1) The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a2) Cacti 0.8.7g [CVE-2014-2327]
b2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
c2) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d2) The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system.
Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a3) Cacti 0.8.7g [CVE-2014-2328]
b3) The use of exec-like function calls without safety checks allow arbitrary commands
c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d3) Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin.


Deutsche Telekom CERT
Landgrabenweg 151, 53227 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: cert@telekom.de
Life is for sharing.

Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Höttges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn

Big changes start small – conserve resources by not printing every e-mail.
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close