Gentoo: GLSA-200803-18: Cacti: Multiple vulnerabilities
Summary
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gentoo Linux Security Advisory GLSA 200803-18 https://security.gentoo.org/
Severity: Normal Title: Cacti: Multiple vulnerabilities Date: March 10, 2008 Bugs: #209918 ID: 200803-18
Synopsis ======= Multiple vulnerabilities were discovered in Cacti.
Background ========= Cacti is a web-based network graphing and reporting tool.
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/cacti < 0.8.7b >= 0.8.7b
========== The following inputs are not properly sanitized before being processed:
* "view_type" parameter in the file graph.php, "filter" parameter in the file graph_view.php, "action" and "login_username" parameters in the file index.php (CVE-2008-0783).
* "local_graph_id" parameter in the file graph.php (CVE-2008-0784).
* "graph_list" parameter in the file graph_view.php, "leaf_id" and "id" parameters in the file tree.php, "local_graph_id" in the file graph_xport.php (CVE-2008-0785).
Furthermore, CRLF injection attack are possible via unspecified vectors(CVE-2008-0786).
Impact ===== A remote attacker could exploit these vulnerabilities, leading to path disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP response splitting.
Workaround ========= There is no known workaround at this time.
Resolution ========= All Cacti users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.7b"
References ========= [ 1 ] CVE-2008-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0783 [ 2 ] CVE-2008-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0784 [ 3 ] CVE-2008-0785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0785 [ 4 ] CVE-2008-0786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0786
Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/200803-18
Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org/.
License ====== Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - iD8DBQFH1bqruhJ+ozIKI5gRAsm3AJ9yHCjQWtpGb/2/IFipT1RsnasHkQCfSFwX /qhL5im0bEtuQPwuSa4xaVA=KmiL -----END PGP SIGNATURE-----