Date: Fri, 12 Jan 2007 08:17:42 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: ports@FreeBSD.org, sem@FreeBSD.org Subject: Re: net/cacit explort Message-ID: <20070112161742.GA49158@icarus.home.lan> In-Reply-To: <45A6B47A.7279.87E474C9@dan.langille.org> References: <45A6B47A.7279.87E474C9@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 11, 2007 at 10:04:42PM -0500, Dan Langille wrote: > There is an exploit out for cacti. Details here: > > http://forums.cacti.net/viewtopic.php?t=18846&start=30 > > Patches here: > > http://forums.cacti.net/viewtopic.php?t=18846&start=30 > > There is no new release yet. Shall I create a PR with the above > patches? [I'm about to create a patch for the port now and apply it > to my server via port upgrade] Thanks greatly for this, Dan. Secunia released this announcement, since there's no details of the actual problem in the forum threads: http://secunia.com/advisories/23528/ I'm absolutely amazed. This is not the fault of PHP (which has its own security issues), but the fault of the cacti authors for making blind assumptions. It doesn't take a genius, especially on a UNIX system, to think about the repercussions of passing URL arguments directly to system()-executed commands. I'd been considering (off and on for about a year) using cacti for statistics gathering, and now I'm glad I didn't. This kind-of flaw is a direct reflection of bad programming, not "bad code". -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070112161742.GA49158>