From owner-freebsd-ports@FreeBSD.ORG Fri Jan 12 16:17:43 2007 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DCDA16A412 for ; Fri, 12 Jan 2007 16:17:43 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from rwcrmhc15.comcast.net (rwcrmhc15.comcast.net [204.127.192.85]) by mx1.freebsd.org (Postfix) with ESMTP id 3832413C459 for ; Fri, 12 Jan 2007 16:17:43 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from icarus.home.lan (c-71-198-0-135.hsd1.ca.comcast.net[71.198.0.135]) by comcast.net (rwcrmhc15) with ESMTP id <20070112161742m150060orce>; Fri, 12 Jan 2007 16:17:42 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 365FD1FA037; Fri, 12 Jan 2007 08:17:42 -0800 (PST) Date: Fri, 12 Jan 2007 08:17:42 -0800 From: Jeremy Chadwick To: Dan Langille Message-ID: <20070112161742.GA49158@icarus.home.lan> Mail-Followup-To: Dan Langille , sem@FreeBSD.org, ports@FreeBSD.org References: <45A6B47A.7279.87E474C9@dan.langille.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45A6B47A.7279.87E474C9@dan.langille.org> X-PGP-Key: http://jdc.parodius.com/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: ports@FreeBSD.org, sem@FreeBSD.org Subject: Re: net/cacit explort X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 16:17:43 -0000 On Thu, Jan 11, 2007 at 10:04:42PM -0500, Dan Langille wrote: > There is an exploit out for cacti. Details here: > > http://forums.cacti.net/viewtopic.php?t=18846&start=30 > > Patches here: > > http://forums.cacti.net/viewtopic.php?t=18846&start=30 > > There is no new release yet. Shall I create a PR with the above > patches? [I'm about to create a patch for the port now and apply it > to my server via port upgrade] Thanks greatly for this, Dan. Secunia released this announcement, since there's no details of the actual problem in the forum threads: http://secunia.com/advisories/23528/ I'm absolutely amazed. This is not the fault of PHP (which has its own security issues), but the fault of the cacti authors for making blind assumptions. It doesn't take a genius, especially on a UNIX system, to think about the repercussions of passing URL arguments directly to system()-executed commands. I'd been considering (off and on for about a year) using cacti for statistics gathering, and now I'm glad I didn't. This kind-of flaw is a direct reflection of bad programming, not "bad code". -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |