lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 06 Jun 2007 01:32:34 +0200
From: Mathieu Dessus <mdessus@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Cacti Denial of Service

Description:
-----------

It is possible to an authenticated user in Cacti to modify the
graph_start and graph_end parameters values in the URL, and specify
higher numbers than expected in order to make Cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034

to this one:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000

rrdtool will take 100% of the CPU (for a long time). By doing multiple
requests like this, an attacker may create a denial of service on the
server running Cacti.

This was tested on the current version, but should work on previous
versions as well.

Solution:
--------

You should ùodify the check done in the file lib/html_validate.php
(function input_validate_input_number) by adding a second check like this:

function input_validate_input_number($value) {
  if ((!is_numeric($value)) && ($value != "")) {
    die_html_input_error();
  }
  if ($value >= 10000000000) {
    die_html_input_error();
  }
}

The Cacti team has now patched the source in their SVN :
http://svn.cacti.net/cgi-bin/viewcvs.cgi/branches/BRANCH_0_8_6/cacti/graph_image.php?rev=3956&r1=3898&r2=39

More info:
---------

http://mdessus.free.fr/?p=15
http://bugs.cacti.net/view.php?id=955

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ