CVE-2011-4824 SQL injection issue in auth_login.php

Bug #906773 reported by Mahyuddin Susanto on 2011-12-20
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cacti (Debian)
Fix Released
Unknown
cacti (Ubuntu)
Medium
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 affects ubuntu/cacti
 milestone lucid
 milestone maverick
 milestone natty
 milestone oneiric
 milestone precise
 assignee udienz
 status inprogress
 security yes
 done

Description
SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h
allows remote attackers to execute arbitrary SQL commands via the
login_username
parameter.

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4824

Patch http://svn.cacti.net/viewvc?view=rev&revision=6807

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO8EQ5AAoJELmHbrCQs2xbpWIP/iCFetLY7vyPW8pRxY2aKEyu
nPOrb+ULs9DB7rkm6J9v5rJYC7Qh+PMuwu3Cu58cryvk5JCtcYmaURCtuVGTP5w1
NBZWyFvPBB47CyNM3JpEvs3H1a7eFTZfmc9TkGHbpfhIR1rYQ/noe5KHTbAHmxKx
HSTlSR172EAdlB3XpvORtVlgxg4whMSC33Lhd3Q2IZQk1tW/zPz56K4LYKPl4e46
5tSd73+pHdWew0fvJkc6p1izBMNZWNutmd5HNag0j4iQ7xa6F01N8Pj+9PoeYhci
+PeaDJIvPZd5pfX6u1v0YtuEu7LQ4fwoEpZQn0UNxsrDW/S1+b0iXgypwpINRDqN
il171DGB3cAc4UO0Nk2du0e/QFe+hT50J/hsiOqNPytEDZaPoJ9MfYatbntF7E6Q
4GjNS6KCiHrT1SU9om8ktUqEyBRQwusoAYdBNCWM6bqtPhUV//ltJkWnLIS5VXYg
OYb0bbMKF3luRWGZkFSajQ0/K6YNlztpTY+3UMfbDpnz9aexSSqGGqQIH/n9iISs
EWvGxQd6l9CC+XjWbClu2dvzfFh7TDjg2+0dwXt9EwDaq58eAVMqfAJArbOKax1n
S8Vf3yyyk0TFXw+6tlKR/FJVESaVwzN+ywmoDdYJDXnqE9O3gkT2qwG94nslUMpJ
PKUHtzM2Ob0Tjl+1LZh4
=rhvM
-----END PGP SIGNATURE-----

 status new
 assignee nobody
 private no
 subscribe ubuntu-security-sponsors
 tag patch
 done

On 12/20/2011 03:20 PM, Mahyuddin Susanto wrote:
> ** Bug watch added: Debian Bug tracker #652371
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652371
>
> ** Also affects: cacti (Debian) via
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652371
> Importance: Unknown
> Status: Unknown
>

Attached debdiff for lucid, maverick, natty and oneiric

tags: added: patch
visibility: private → public
visibility: private → public
Changed in cacti (Ubuntu):
assignee: Mahyuddin Susanto (udienz) → nobody
status: In Progress → New
Changed in cacti (Debian):
status: Unknown → Fix Committed
Changed in cacti (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in cacti (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
Changed in cacti (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Medium
Changed in cacti (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Changed in cacti (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Changed in cacti (Ubuntu Lucid):
status: Confirmed → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in cacti (Ubuntu Maverick):
status: Confirmed → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in cacti (Ubuntu Natty):
status: Confirmed → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in cacti (Ubuntu Oneiric):
status: Confirmed → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). How did you generate these? Did you test the patched packages? Per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue, I have marked these tasks Incomplete and assigned them to you. Please adjust the debdiff and note the testing performed.

Unsubscribing ubuntu-security-sponsors. Please resubscribe after submitting updated debdiffs. Thanks again.

tags: added: patch-needswork
Jamie Strandboge (jdstrand) wrote :

Also, the lucid debdiff contains undocumented changes to debian/po files. When submitting, can you remove this from the debdiff?

Jamie Strandboge (jdstrand) wrote :

One last thing, cacti on lucid has several other open CVEs: CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544 and CVE-2010-2545. Do you plan on providing patches for these as well? If so, please update the debdiff to include these as well. Thanks again!

Mahyuddin Susanto (udienz) wrote :

> How did you generate these? Did you test the patched packages?

By looking at upstream svn changes i can modify debian sources easily. Yes, i tested it.

 > When submitting, can you remove this from the debdiff?

Yup

> One last thing, cacti on lucid has several other open CVEs: CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544 and CVE-2010-2545. Do you plan on providing patches for these as well? If so, please update the debdiff to include these as well. Thanks again!

CVE's as mention in above has been resolved in 0.8.7e-2ubuntu0.1 by Brian Thomson. Here is changelog in 0.8.7e-2ubuntu0.1:
cacti (0.8.7e-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix SQL injection vulnerability in templates_export.php
    (LP: #599892)
    - debian/patches/CVE-2010-1431.patch: patch derived from upstream patch
    - CVE-2010-1431
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-1644.patch: patch derived from upstream patch
    - CVE-2010-1644
  * SECURITY UPDATE: Fix arbitrary command execution vuln
    - debian/patches/CVE-2010-1645.patch: patch derived from upstream patches
    - CVE-2010-1645
  * SECURITY UPDATE: Fix a SQL injection vulnerability in graph.php
    - debian/patches/CVE-2010-2092.patch: patch derived from Debian patch
    - CVE-2010-2092
    - DSA-2060
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-2543.patch: patch derived from upstream patches
    - CVE-2010-2543
    - CVE-2010-2544
    - CVE-2010-2545

 -- Brian Thomason <email address hidden> Mon, 24 Jan 2011 11:20:13 -0500

Changed in cacti (Ubuntu Lucid):
status: Incomplete → New
Changed in cacti (Ubuntu Maverick):
status: Incomplete → New
Changed in cacti (Ubuntu Natty):
status: Incomplete → New
Changed in cacti (Ubuntu Oneiric):
status: Incomplete → New
Changed in cacti (Ubuntu Lucid):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in cacti (Ubuntu Maverick):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in cacti (Ubuntu Natty):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in cacti (Ubuntu Oneiric):
assignee: Mahyuddin Susanto (udienz) → nobody
Kees Cook (kees) wrote :

Perhaps due to LP's email processing, the debdiff I tried (natty) was lacking a trailing newline on the last line. After adding that, things went nicely.

I've confirmed that the natty debdiff builds for me, and that cacti continues to behave after update.

Mahyuddin Susanto (udienz) wrote :

Agreed with Kees Cook,

Here updated debdiff

Mahyuddin Susanto (udienz) wrote :
Mahyuddin Susanto (udienz) wrote :
Mahyuddin Susanto (udienz) wrote :
Jamie Strandboge (jdstrand) wrote :

Regarding newline in maverick-oneiric: weird. Thanks for the update. I can confirm the patches apply after adding the newline.

Changed in cacti (Ubuntu Maverick):
status: New → Confirmed
Changed in cacti (Ubuntu Natty):
status: New → Confirmed
Changed in cacti (Ubuntu Oneiric):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

ACK lucid-oneiric. Thanks for the patches!

Jamie Strandboge (jdstrand) wrote :

Uploaded to the security ppa.

Changed in cacti (Ubuntu Lucid):
status: New → Fix Committed
Changed in cacti (Ubuntu Maverick):
status: Confirmed → Fix Committed
Changed in cacti (Ubuntu Natty):
status: Confirmed → Fix Committed
Changed in cacti (Ubuntu Oneiric):
status: Confirmed → Fix Committed
tags: removed: patch-needswork

The attachment "cacti_lucid.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Jamie Strandboge (jdstrand) wrote :

Oops, maverick and natty have the same version. We need to use 0.8.7g-1ubuntu0.10.10.1 and 0.8.7g-1ubuntu0.11.04.1. Adjusting and reuploading.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cacti - 0.8.7g-2.1ubuntu0.1

---------------
cacti (0.8.7g-2.1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 16:01:16 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cacti - 0.8.7g-1ubuntu0.11.04.1

---------------
cacti (0.8.7g-1ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 15:52:09 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cacti - 0.8.7g-1ubuntu0.10.10.1

---------------
cacti (0.8.7g-1ubuntu0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 15:46:56 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cacti - 0.8.7e-2ubuntu0.2

---------------
cacti (0.8.7e-2ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 22:39:36 +0700

Changed in cacti (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in cacti (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in cacti (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in cacti (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Mahyuddin Susanto (udienz) wrote :

Fixed in precise

cacti (0.8.7i-2) unstable; urgency=3Dlow

  * Cherry-pick upstream patches
    - debian/patches/10_settings_checkbox.patch
  * debian/patches/05_no-adodb.patch: Updates, add semicolon at line 190.
    (Closes: #653863)
  * Updated last changelog to mention security bug.

cacti (0.8.7i-1) unstable; urgency=3Dlow

  * New upstream release. (Closes: #642971)
    - Fix Ping query. (Closes: #616320, #561488)
    - Fix SQL injection issue in auth_login.php (Closes: #652371) this is
      CVE-2011-4824
  * debian/control:
    - Bump Standard-Version to 3.9.2, no source changes.
    - Change Maintainer to pkg-cacti. (Closes: #613857)
    - Add Sean and myself as uploaders.
    - Change Vcs-* to pkg-cacti.
  * debian/copyright: Rewriting as per dep5 format.
  * debian/source: Added to mentioning quilt patch system.
  * debian/README.source: Deleted, not needed anymore
  * debian/patches/09_use-utf8.patch: Use UTF-8 while creating database and
    producing RRD, Thanks to Slavko <email address hidden>. (Closes: #604395)
  * Refreshed pathces:
    - debian/patches/01_config.php.patch
    - debian/patches/05_no-adodb.patch
    - debian/patches/06_config_settings.php_cactid_path.patch
    - debian/patches/07_cli-include-path.patch (Closes: #604396)
    - debian/patches/08_563955_local_data_id.patch (Closes: #563955)
  * Drop patches apllied upstream:
    - 606062_ping.pl.patch
    - data_source_deactivate.patch
    - graph_list_view.patch
    - html_output.patch
    - ldap_group_authenication.patch
    - ping.patch
    - poller_interval.patch
    - script_server_command_line_parse.patch
  * Add Lighttpd support:
    - debian/docs: updated
    - debian/cacti.lighttpd.conf: added
    - debian/cacti.{postinst|postrm|templates}: updated

Changed in cacti (Ubuntu Precise):
status: Triaged → Fix Released
Changed in cacti (Debian):
status: Fix Committed → Fix Released
Paul Gevers (paul-climbing) wrote :

I suspect bug 914746 is the result of regression in the patch for lucid. If so, maybe also maverick, natty and oneiric are effected, as the proposed solution comes from upstream 0.8.7i version. My suspicion is raised by the first patch that was attached to the bug, which was against the 0.8.7g version of cacti (in Maverick, Natty and Oneiric).

If this all is true, a proposed patch is already available in that bug [1].

[1] https://launchpadlibrarian.net/109336601/LP914746_data_query.patch

tags: added: verification-failed
Paul Gevers (paul-climbing) wrote :

The package based on 0.8.7g are fine. The problem is only in lucid. The patch did not work. Improved patch available [2].

[2] https://launchpadlibrarian.net/109541404/LP914746_regression_lucid_string_offset_in_data_query.patch

Paul Gevers (paul-climbing) wrote :

After even more investigation, I don't think bug 914746 is caused by regression, I think it is a bug on it's own. Sorry for the noise.

tags: removed: verification-failed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.