Cacti suffers from a denial of service vulnerability when an authenticated user manipulates some parameters.
440e27ea43b2248169ef4a5a77bf56e93b2cb09dfb579ee25aa362b1faf3c7cfDescription:
-----------
It is possible to an authenticated user in Cacti to modify the
graph_start and graph_end parameters values in the URL, and specify
higher numbers than expected in order to make Cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:
http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034
to this one:
http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000
rrdtool will take 100% of the CPU (for a long time). By doing multiple
requests like this, an attacker may create a denial of service on the
server running Cacti.
This was tested on the current version, but should work on previous
versions as well.
Solution:
--------
You should ùodify the check done in the file lib/html_validate.php
(function input_validate_input_number) by adding a second check like this:
function input_validate_input_number($value) {
if ((!is_numeric($value)) && ($value != "")) {
die_html_input_error();
}
if ($value >= 10000000000) {
die_html_input_error();
}
}
The Cacti team has now patched the source in their SVN :
http://svn.cacti.net/cgi-bin/viewcvs.cgi/branches/BRANCH_0_8_6/cacti/graph_image.php?rev=3956&r1=3898&r2=39
More info:
---------
http://mdessus.free.fr/?p=15
http://bugs.cacti.net/view.php?id=955
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed