net/cacit explort
Jeremy Chadwick
koitsu at FreeBSD.org
Fri Jan 12 16:17:43 UTC 2007
On Thu, Jan 11, 2007 at 10:04:42PM -0500, Dan Langille wrote:
> There is an exploit out for cacti. Details here:
>
> http://forums.cacti.net/viewtopic.php?t=18846&start=30
>
> Patches here:
>
> http://forums.cacti.net/viewtopic.php?t=18846&start=30
>
> There is no new release yet. Shall I create a PR with the above
> patches? [I'm about to create a patch for the port now and apply it
> to my server via port upgrade]
Thanks greatly for this, Dan.
Secunia released this announcement, since there's no details of the
actual problem in the forum threads:
http://secunia.com/advisories/23528/
I'm absolutely amazed. This is not the fault of PHP (which has its
own security issues), but the fault of the cacti authors for making
blind assumptions. It doesn't take a genius, especially on a UNIX
system, to think about the repercussions of passing URL arguments
directly to system()-executed commands.
I'd been considering (off and on for about a year) using cacti for
statistics gathering, and now I'm glad I didn't. This kind-of
flaw is a direct reflection of bad programming, not "bad code".
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-ports
mailing list