-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.001
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.001
Advisory Published:      2007-01-01 20:55 UTC

Issue Id (internal):     OpenPKG-SI-20070101.01
Issue First Created:     2007-01-01
Issue Last Modified:     2007-01-01
Issue Revision:          09
____________________________________________________________________________

Subject Name:            Cacti
Subject Summary:         Network Monitoring and Graphing Frontend
Subject Home:            http://www.cacti.net/
Subject Versions:        * <= 0.8.6i

Vulnerability Id:        none
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           manipulation of data, arbitrary code execution

Description:
    Three vulnerabilities have been identified and exploited [0] in the
    network monitoring and graphing frontend Cacti [1], versions up to
    and including 0.8.6i. They can be exploited by malicious people to
    bypass certain security restrictions, manipulate data and compromise
    vulnerable systems.
    
    First, the "cmd.php" script does not properly restrict access
    to command line usage and is installed in a Web-accessible
    location. Successful exploitation requires that the PHP variable
    "register_argc_argv" is enabled, which is the default in the OpenPKG
    "cacti" package.
    
    Second, input passed in the URL to "cmd.php" is not properly
    sanitised before being used in SQL queries. This can be exploited
    to manipulate SQL queries by injecting arbitrary SQL code.
    Successful exploitation requires again that the PHP variable
    "register_argc_argv" is enabled, which is the default in the OpenPKG
    "cacti" package.
    
    Third, the results from the SQL queries passed by an attacker to
    "cmd.php" are not properly sanitised before being used as shell
    commands. This can be exploited to inject arbitrary shell commands,
    too.

References:
    [0] http://www.milw0rm.com/exploits/3029
    [1] http://www.cacti.net/
____________________________________________________________________________

Primary Package Name:    cacti
Primary Package Home:    http://openpkg.org/go/package/cacti

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        cacti-0.8.6i-E1.0.1
OpenPKG Community        2-STABLE-20061018 cacti-0.8.6i-2.20070101
OpenPKG Community        2-STABLE          cacti-0.8.6i-2.20070101
OpenPKG Community        CURRENT           cacti-0.8.6i-20070101
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD4DBQFFmWcnZwQuyWG3rjQRAuxRAJQOgbiiUxvdzP49SwiSqOoairz1AJ4v/e0A
pMG5BaGeIVcKH7Dnh7PSUQ==
=QT1T
-----END PGP SIGNATURE-----