Date: Thu, 11 Jan 2007 22:21:45 -0500 (EST) From: Dan Langille <dan@langille.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Dan Langille <dan@langille.org> Subject: ports/107835: [UPDATE] net/cacti fix exploit Message-ID: <20070112032145.2221F3EC4@xeon.unixathome.org> Resent-Message-ID: <200701120330.l0C3UHs5053968@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 107835 >Category: ports >Synopsis: [UPDATE] net/cacti fix exploit >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Jan 12 03:30:16 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Dan Langille >Release: FreeBSD 4.9-STABLE i386 >Organization: The FreeBSD Diary >Environment: System: FreeBSD xeon.unixathome.org 4.9-STABLE FreeBSD 4.9-STABLE #2: Wed Mar 3 08:16:24 EST 2004 dan@polo.unixathome.org:/usr/obj/usr/src/sys/XEON i386 >Description: Cacti has an exploit in the wild. details: http://forums.cacti.net/viewtopic.php?t=18846&start=30 patches: http://www.cacti.net/download_patches.php?version=0.8.6i >How-To-Repeat: >Fix: --- cacti.diff begins here --- diff -ruN /usr/ports/net/cacti/Makefile cacti/Makefile --- /usr/ports/net/cacti/Makefile Fri Nov 3 05:21:42 2006 +++ cacti/Makefile Thu Jan 11 22:14:25 2007 @@ -7,7 +7,7 @@ PORTNAME= cacti PORTVERSION= 0.8.6i${PATCHLEVEL} -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= net www MASTER_SITES= http://www.cacti.net/downloads/ DISTNAME= ${PORTNAME}-${SITEDISTVERSION} diff -ruN /usr/ports/net/cacti/files/patch-dec06-vulnerability-poller-0.8.6i.patch cacti/files/patch-dec06-vulnerability-poller-0.8.6i.patch --- /usr/ports/net/cacti/files/patch-dec06-vulnerability-poller-0.8.6i.patch Wed Dec 31 19:00:00 1969 +++ cacti/files/patch-dec06-vulnerability-poller-0.8.6i.patch Thu Jan 11 22:13:23 2007 @@ -0,0 +1,137 @@ +diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php +--- cmd.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500 +@@ -26,7 +26,7 @@ + */ + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +@@ -70,6 +71,10 @@ + $print_data_to_stdout = false; + if ($_SERVER["argc"] == "3") { + if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) { ++ /* address potential exploits */ ++ input_validate_input_number($_SERVER["argv"][1]); ++ input_validate_input_number($_SERVER["argv"][2]); ++ + $hosts = db_fetch_assoc("select * from host where (disabled = '' and " . + "id >= " . + $_SERVER["argv"][1] . +diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php +--- copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500 +@@ -25,9 +25,10 @@ + */ + + /* do NOT run this script through a web browser */ +-if (! isset($_SERVER["argv"][0])) { +- die("This script is only meant to run at the command line.\n"); ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); + } ++ + if (empty($_SERVER["argv"][2])) { + die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n"); + } +diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php +--- include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400 ++++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500 +@@ -24,6 +24,20 @@ + +-------------------------------------------------------------------------+ + */ + ++/* ================= input validation ================= */ ++input_validate_input_number(get_request_var_request("predefined_timespan")); ++/* ==================================================== */ ++ ++/* clean up date1 string */ ++if (isset($_REQUEST["date1"])) { ++ $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1")); ++} ++ ++/* clean up date2 string */ ++if (isset($_REQUEST["date2"])) { ++ $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2")); ++} ++ + /* initialize the timespan array */ + $timespan = array(); + +diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php +--- poller.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500 +@@ -26,7 +26,7 @@ + */ + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php +--- poller_commands.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500 +@@ -27,7 +27,7 @@ + define("MAX_RECACHE_RUNTIME", 296); + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php +--- poller_export.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500 +@@ -25,7 +25,7 @@ + */ + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php +--- poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500 +@@ -25,7 +25,7 @@ + */ + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php +--- rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500 +@@ -25,7 +25,7 @@ + */ + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); + } + +diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php +--- script_server.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500 +@@ -26,9 +26,8 @@ + $no_http_headers = true; + + /* do NOT run this script through a web browser */ +-if (!isset($_SERVER["argv"][0])) { ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { + die("<br><strong>This script is only meant to run at the command line.</strong>"); +- exit(-1); + } + + /* define STDOUT/STDIN file descriptors if not running under CLI */ diff -ruN /usr/ports/net/cacti/files/patch-dec06-vulnerability-scripts-0.8.6i.patch cacti/files/patch-dec06-vulnerability-scripts-0.8.6i.patch --- /usr/ports/net/cacti/files/patch-dec06-vulnerability-scripts-0.8.6i.patch Wed Dec 31 19:00:00 1969 +++ cacti/files/patch-dec06-vulnerability-scripts-0.8.6i.patch Thu Jan 11 22:13:31 2007 @@ -0,0 +1,106 @@ +diff -ruBbd cacti-0.8.6i/scripts/query_host_cpu.php cacti-0.8.6i-patch/scripts/query_host_cpu.php +--- scripts/query_host_cpu.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/query_host_cpu.php 2007-01-01 12:50:55.781250000 -0500 +@@ -1,6 +1,12 @@ + <?php + ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; ++ + include(dirname(__FILE__) . "/../include/config.php"); + include(dirname(__FILE__) . "/../lib/snmp.php"); + +diff -ruBbd cacti-0.8.6i/scripts/query_host_partitions.php cacti-0.8.6i-patch/scripts/query_host_partitions.php +--- scripts/query_host_partitions.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/query_host_partitions.php 2007-01-01 12:50:55.781250000 -0500 +@@ -1,6 +1,12 @@ + <?php + ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; ++ + include(dirname(__FILE__) . "/../include/config.php"); + include(dirname(__FILE__) . "/../lib/snmp.php"); + +diff -ruBbd cacti-0.8.6i/scripts/sql.php cacti-0.8.6i-patch/scripts/sql.php +--- scripts/sql.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/sql.php 2007-01-01 12:50:55.781250000 -0500 +@@ -1,6 +1,12 @@ + <? + ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; ++ + include(dirname(__FILE__) . "/../include/config.php"); + + if ($database_password == "") { +diff -ruBbd cacti-0.8.6i/scripts/ss_fping.php cacti-0.8.6i-patch/scripts/ss_fping.php +--- scripts/ss_fping.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/ss_fping.php 2007-01-01 12:50:55.796875000 -0500 +@@ -1,7 +1,11 @@ + <?php + #!/usr/bin/php -q + +-//STANDARD SCRIPT SERVER HEADER!!! ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; + + /* display No errors */ +diff -ruBbd cacti-0.8.6i/scripts/ss_host_cpu.php cacti-0.8.6i-patch/scripts/ss_host_cpu.php +--- scripts/ss_host_cpu.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/ss_host_cpu.php 2007-01-01 12:50:55.796875000 -0500 +@@ -1,4 +1,10 @@ + <?php ++ ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; + + /* display No errors */ +diff -ruBbd cacti-0.8.6i/scripts/ss_host_disk.php cacti-0.8.6i-patch/scripts/ss_host_disk.php +--- scripts/ss_host_disk.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/ss_host_disk.php 2007-01-01 12:50:55.796875000 -0500 +@@ -1,4 +1,10 @@ + <?php ++ ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; + + /* display No errors */ +diff -ruBbd cacti-0.8.6i/scripts/ss_sql.php cacti-0.8.6i-patch/scripts/ss_sql.php +--- scripts/ss_sql.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/scripts/ss_sql.php 2007-01-01 12:50:55.781250000 -0500 +@@ -1,5 +1,10 @@ + <?php + ++/* do NOT run this script through a web browser */ ++if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { ++ die("<br><strong>This script is only meant to run at the command line.</strong>"); ++} ++ + $no_http_headers = true; + + /* display ALL errors */ diff -ruN /usr/ports/net/cacti/files/patch-import_template_argument_space_removal.patch cacti/files/patch-import_template_argument_space_removal.patch --- /usr/ports/net/cacti/files/patch-import_template_argument_space_removal.patch Wed Dec 31 19:00:00 1969 +++ cacti/files/patch-import_template_argument_space_removal.patch Thu Jan 11 22:13:39 2007 @@ -0,0 +1,14 @@ +--- lib/import.php 2006-10-09 00:06:00.000000000 -0400 ++++ cacti-0.8.6i-patch/lib/import.php 2007-01-02 08:17:09.593750000 -0500 +@@ -687,6 +687,11 @@ + while (list($field_name, $field_array) = each($fields_data_input_edit)) { + /* make sure this field exists in the xml array first */ + if (isset($xml_array[$field_name])) { ++ /* fix issue with data input method importing and white spaces */ ++ if ($field_name == "input_string") { ++ $xml_array[$field_name] = str_replace("><", "> <", $xml_array[$field_name]); ++ } ++ + $save[$field_name] = addslashes(xml_character_decode($xml_array[$field_name])); + } + } diff -ruN /usr/ports/net/cacti/files/patch-poller_output_remainder.patch cacti/files/patch-poller_output_remainder.patch --- /usr/ports/net/cacti/files/patch-poller_output_remainder.patch Wed Dec 31 19:00:00 1969 +++ cacti/files/patch-poller_output_remainder.patch Thu Jan 11 22:13:43 2007 @@ -0,0 +1,46 @@ +diff -ruBbd cacti-0.8.6i/lib/poller.php cacti-0.8.6i-patched/lib/poller.php +--- lib/poller.php 2006-10-08 23:06:01.000000000 -0400 ++++ cacti-0.8.6i-patched/lib/poller.php 2006-11-21 23:41:02.000000000 -0500 +@@ -213,7 +213,7 @@ + /* process_poller_output - grabs data from the 'poller_output' table and feeds the *completed* + results to RRDTool for processing + @arg $rrdtool_pipe - the array of pipes containing the file descriptor for rrdtool */ +-function process_poller_output($rrdtool_pipe) { ++function process_poller_output($rrdtool_pipe, $remainder = FALSE) { + global $config; + + include_once($config["library_path"] . "/rrd.php"); +@@ -221,6 +221,12 @@ + /* let's count the number of rrd files we processed */ + $rrds_processed = 0; + ++ if ($remainder) { ++ $limit = ""; ++ }else{ ++ $limit = "LIMIT 10000"; ++ } ++ + /* create/update the rrd files */ + $results = db_fetch_assoc("select + poller_output.output, +@@ -231,7 +237,7 @@ + poller_item.rrd_num + from (poller_output,poller_item) + where (poller_output.local_data_id=poller_item.local_data_id and poller_output.rrd_name=poller_item.rrd_name) +- limit 10000"); ++ $limit"); + + if (sizeof($results) > 0) { + /* create an array keyed off of each .rrd file */ +diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patched/poller.php +--- poller.php 2006-10-08 23:06:01.000000000 -0400 ++++ cacti-0.8.6i-patched/poller.php 2006-11-12 11:49:05.000000000 -0500 +@@ -166,7 +166,7 @@ + $polling_items = db_fetch_assoc("select poller_id,end_time from poller_time where poller_id = 0"); + + if (sizeof($polling_items) == $process_file_number) { +- $rrds_processed = $rrds_processed + process_poller_output($rrdtool_pipe); ++ $rrds_processed = $rrds_processed + process_poller_output($rrdtool_pipe, TRUE); + + /* take time and log performance data */ + list($micro,$seconds) = split(" ", microtime()); --- cacti.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070112032145.2221F3EC4>