[Pkg-cacti-maint] Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

[Paul Gevers]

Control: severity -1 important
Control: tags -1 pending

Hi all,

On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Severity: grave
> CVE-2017-16641[0]:
> | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> | to execute arbitrary OS commands via the path_rrdtool parameter in an
> | action=save request to settings.php.

Although this is true, and this parameter is not meant to be used like
this, the cacti *admin* has always had this possibility via the "Data
Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
raised. I just confirmed that I could indeed still do the via that
(trivial) route.

So just to be clear (and I don't particularly like it), the power of the
cacti *admin* has been long known and has been accepted as unfixed for
multiple Debian releases. Therefor I lower the severity of this bug.

Unfortunately the upstream patch for this bug does not simply apply to
pre 1.x versions of cacti. I am not comfortable (yet) with creating a
patch for those versions, and due to CVE-2009-4112, I don't think it is
worth fixing this in stable and older.

Paul

PS on other option is to raise the severity of 561339 again, but I don't
expect the patch to then miraculously turn up.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20171110/7b1c8d31/attachment-0001.sig>