Bug 201702 - net-mgmt/cacti: Multiple XSS and SQL injection vulnerabilities (CVE-2015-4634)
Summary: net-mgmt/cacti: Multiple XSS and SQL injection vulnerabilities (CVE-2015-4634)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords: patch, security
Depends on: 201747
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-19 23:44 UTC by Jason Unovitch
Modified: 2015-07-22 06:43 UTC (History)
3 users (show)

See Also:
freebsd-ports: maintainer-feedback+
freebsd-ports: merge-quarterly?


Attachments
security/vuxml for < cacti-0.8.8e (1.90 KB, patch)
2015-07-19 23:50 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml for < cacti-0.8.8e (1.91 KB, patch)
2015-07-20 00:15 UTC, Jason Unovitch
junovitch: maintainer-approval? (ports-secteam)
Details | Diff
Update to 0.8.8e (1.79 KB, patch)
2015-07-20 02:56 UTC, Daniel Austin
freebsd-ports: maintainer-approval+
Details | Diff
Update to 0.8.8f (security + bugfix release) (1.83 KB, patch)
2015-07-20 12:46 UTC, Daniel Austin
freebsd-ports: maintainer-approval+
Details | Diff
cacti-0.8.8f_1.patch (870 bytes, patch)
2015-07-21 23:56 UTC, Jason Unovitch
no flags Details | Diff
cacti-0.8.8f_1.patch (776 bytes, patch)
2015-07-22 00:19 UTC, Jason Unovitch
junovitch: maintainer-approval? (freebsd-ports)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-07-19 23:44:11 UTC
Maintainer of net-mgmt/cacti,
Cacti 0.8.8e was released featuring multiple security fixes.

Release Notes - 0.8.8e

Important Security Fixes

    Multiple XSS and SQL injection vulnerabilities
    CVE-2015-4634 - SQL injection in graphs.php

Changelog
bug: Fixed issue with graph zooming failing to work
bug: Fixed various SQL Injection vectors
bug#0002569: Impossible to have a URL pointing directly to a graph
bug#0002574: SQL Injection Vulnerabilities in graph items and graph template items
bug#0002577: CVE-2015-4634 - SQL injection in graphs.php
bug#0002579: SQL Injection Vulnerabilities in data sources
bug#0002580: SQL Injection in cdef.php
bug#0002582: SQL Injection in data_templates.php
bug#0002583: SQL Injection in graph_templates.php
bug#0002584: SQL Injection in host_templates.php
bug#0002586: Cannot delete data sources from the GUI
bug#0002592: graph_view.php - viewing host in new tab - Undefined index: nodeid
bug#0002594: status_fail_date and status_rec_date are set incorrectly after host is marked down
bug#0002597: Incorrect value in Hosts column on Host Templates page
bug#0002598: Incorrect row number in Devices -> (Edit) page
Comment 1 Jason Unovitch freebsd_committer 2015-07-19 23:50:22 UTC
Created attachment 158992 [details]
security/vuxml for < cacti-0.8.8e

Log:

Document Cacti Multiple XSS and SQL injection vulnerabilities

PR:		201702
Security:	CVE-2015-4634
Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Validation:

> make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8d
cacti-0.8.8d is vulnerable:
cacti -- Multiple XSS and SQL injection vulnerabilities
CVE: CVE-2015-4634
WWW: https://vuxml.FreeBSD.org/freebsd/0bfda05f-2e6f-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8e
0 problem(s) in the installed packages found.
Comment 2 Jason Unovitch freebsd_committer 2015-07-19 23:51:31 UTC
Note:
Per http://seclists.org/oss-sec/2015/q3/150 it appears additional CVE's were requested for the individual SQL injection vulnerabilities.  The entry may have to be revised pending the assignment.
Comment 3 Jason Unovitch freebsd_committer 2015-07-20 00:15:01 UTC
Created attachment 158993 [details]
security/vuxml for < cacti-0.8.8e

** fix formatting error **

Log:

Document Cacti Multiple XSS and SQL injection vulnerabilities

PR:		201702
Security:	CVE-2015-4634
Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5
Comment 4 Daniel Austin 2015-07-20 02:56:40 UTC
Created attachment 158998 [details]
Update to 0.8.8e

Patch to update to 0.8.8e to resolve security issues (and a few other bugs)

Poudriere testport logs available at:

http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8e/

(9+10 i386+amd64)
Comment 5 Daniel Austin 2015-07-20 02:58:33 UTC
I've included a patch to upgrade to 0.8.8e and set the merge-quarterly request flag as it's a security related patch.
Comment 6 Daniel Austin 2015-07-20 12:46:06 UTC
Created attachment 159015 [details]
Update to 0.8.8f (security + bugfix release)

This updates to 0.8.8f which fixes security issues and a few bugs (including some introduced in 0.8.8e whilst trying to fix it!)
Comment 7 Daniel Austin 2015-07-20 12:47:14 UTC
Poudriere testport logs for cacti 0.8.8f:

http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8f/
Comment 8 commit-hook freebsd_committer 2015-07-20 14:35:50 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 20 14:35:40 UTC 2015
New revision: 392572
URL: https://svnweb.freebsd.org/changeset/ports/392572

Log:
  Document Cacti Multiple XSS and SQL injection vulnerabilities

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 9 commit-hook freebsd_committer 2015-07-20 14:45:54 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 20 14:45:46 UTC 2015
New revision: 392573
URL: https://svnweb.freebsd.org/changeset/ports/392573

Log:
  Update to 0.8.8f to resolve security and bug issues

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/pkg-plist
Comment 10 commit-hook freebsd_committer 2015-07-20 14:47:56 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 20 14:47:40 UTC 2015
New revision: 392574
URL: https://svnweb.freebsd.org/changeset/ports/392574

Log:
  MFH: r392573

  Update to 0.8.8f to resolve security and bug issues

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/net-mgmt/cacti/Makefile
  branches/2015Q3/net-mgmt/cacti/distinfo
  branches/2015Q3/net-mgmt/cacti/pkg-plist
Comment 11 Mark Felder freebsd_committer 2015-07-20 14:48:35 UTC
committed, thanks!
Comment 12 Jason Unovitch freebsd_committer 2015-07-21 23:56:20 UTC
Created attachment 159053 [details]
cacti-0.8.8f_1.patch

https://forums.freebsd.org/threads/problem-with-cacti-upgrading.52458/

Dan,
The thread above was reported in the forums.  Apparently there is a typo in the migration code in 0.8.8f and this is causing issues when starting the service after an update.  Obviously that file doesn't exist.

install/index.php 
@@ -468,7 +468,7 @@ if ($step == "4") {
                        include ("0_8_8d_to_0_8_8e.php");
                        upgrade_to_0_8_8e();
                }elseif ($cacti_versions[$i] == "0.8.8f") {
-                       include ("0_8_8f_to_0_8_8f.php");
+                       include ("0_8_8e_to_0_8_8f.php");
                        upgrade_to_0_8_8f();
                }
        }

Mark,
Can we get this applied and MFH'd?

Upstream Bug Reference:
http://bugs.cacti.net/view.php?id=2605
Comment 13 Jason Unovitch freebsd_committer 2015-07-22 00:06:15 UTC
Reset to open based on runtime issues with 0.8.8f caused by a typo introduced upstream.
Comment 14 Jason Unovitch freebsd_committer 2015-07-22 00:19:21 UTC
Created attachment 159054 [details]
cacti-0.8.8f_1.patch

Disregard initial patch. The comment in the forum thread about fetching the file and not finding the bad code made me look a little closer. The SHA256 doesn't match ports anymore but the fact that I had the distfile and the fact that one of the fallback mirrors had the bad distfile hid this.
 
According to http://www.cacti.net/downloads/
cacti-0.8.8f.tar.gz	20-Jul-2015 09:43 	2.5M

It looks like this was caught and fixed after the 19 July release and they re-rolled the distfile.  I see 2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 as the hash.  Patch attached fixes the issue by updating to the new 0.8.8f distfile and bumping PORTREVISION.
Comment 15 Jason Unovitch freebsd_committer 2015-07-22 00:52:56 UTC
Tagging depends on bug 201747. Dan it appears you caught the issue and have the same exact patch in that bug.  Both can be closed when this is applied.  Sorry for the excess noise.
Comment 16 commit-hook freebsd_committer 2015-07-22 02:52:33 UTC
A commit references this bug:

Author: feld
Date: Wed Jul 22 02:51:51 UTC 2015
New revision: 392656
URL: https://svnweb.freebsd.org/changeset/ports/392656

Log:
  Upstream re-rolled distfile.
  Bump PORTREVISION to address it.

  PR:		201702
  MFH:		2015Q3

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
Comment 17 commit-hook freebsd_committer 2015-07-22 02:53:35 UTC
A commit references this bug:

Author: feld
Date: Wed Jul 22 02:52:48 UTC 2015
New revision: 392657
URL: https://svnweb.freebsd.org/changeset/ports/392657

Log:
  MFH: r392656

  Upstream re-rolled distfile.
  Bump PORTREVISION to address it.

  PR:		201702
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/net-mgmt/cacti/Makefile
  branches/2015Q3/net-mgmt/cacti/distinfo
Comment 18 Mark Felder freebsd_committer 2015-07-22 02:54:06 UTC
I'll try to contact upstream to address this issue and hopefully prevent it from happening again in the future.

Thanks for your patience and for reporting this so quickly. My apologies for the delay.
Comment 19 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-22 06:43:48 UTC
Classify post-resolution