[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4665F292.5030903@gmail.com>
Date: Wed, 06 Jun 2007 01:32:34 +0200
From: Mathieu Dessus <mdessus@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Cacti Denial of Service
Description:
-----------
It is possible to an authenticated user in Cacti to modify the
graph_start and graph_end parameters values in the URL, and specify
higher numbers than expected in order to make Cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:
http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034
to this one:
http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000
rrdtool will take 100% of the CPU (for a long time). By doing multiple
requests like this, an attacker may create a denial of service on the
server running Cacti.
This was tested on the current version, but should work on previous
versions as well.
Solution:
--------
You should ùodify the check done in the file lib/html_validate.php
(function input_validate_input_number) by adding a second check like this:
function input_validate_input_number($value) {
if ((!is_numeric($value)) && ($value != "")) {
die_html_input_error();
}
if ($value >= 10000000000) {
die_html_input_error();
}
}
The Cacti team has now patched the source in their SVN :
http://svn.cacti.net/cgi-bin/viewcvs.cgi/branches/BRANCH_0_8_6/cacti/graph_image.php?rev=3956&r1=3898&r2=39
More info:
---------
http://mdessus.free.fr/?p=15
http://bugs.cacti.net/view.php?id=955
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists