Cacti Multiple SQL Injection Vulnerabilities


Description   (#Two SQL injections vulnerabilities have been identified in Cacti:#- CVE-2015-8369: in the "rrdtool_function_graph()" function in graph.php#- CVE-2015-8377: in the "host_new_graphs_save()" function in graphs_new.php##Proof-of-concept are available.##The cacti packages provided by Debian Squeeze 6, Wheezy 7 and Jessie 8 are vulnerable.#Updated, 05/01/2016:#The cacti packages provided by FreeBSD are vulnerable (CVE-2015-8369).)
     
Vulnerable Products   Vulnerable OS:
FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7, 8openSUSE (SUSE) - 13.1, 13.2, 42.1Vulnerable Software:
Cacti (The Cacti Group) - 0.5, 0.6, 0.6.1, 0.6.2, 0.6.3, ..., 0.8.8b, 0.8.8c, 0.8.8d, 0.8.8e, 0.8.8f
     
Solution   Fixed cacti packages for FreeBSD are available.
     
CVE   CVE-2015-8377
CVE-2015-8369
     
References   - Full Disclosure : CVE-2015-8369 Cacti SQL injection in graph.php
http://seclists.org/fulldisclosure/2015/Dec/8
- Full Disclosure : CVE-2015-8377 Cacti graphs_new.php SQL Injection Vulnerability
http://seclists.org/fulldisclosure/2015/Dec/57
- Debian Security Tracker : cacti
https://security-tracker.debian.org/tracker/CVE-2015-8369
https://security-tracker.debian.org/tracker/CVE-2015-8377
- DSA 3423-1 : cacti security update
https://lists.debian.org/debian-security-announce/2015/msg00328.html
- DLA 374-1 : cacti security update
https://lists.debian.org/debian-lts-announce/2015/12/msg00016.html
- DLA 374-3 : cacti regression update
https://lists.debian.org/debian-lts-announce/2016/01/msg00002.html
- VuXML : cacti -- SQL injection vulnerabilities
http://www.vuxml.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html
- openSUSE-SU-2016:0438-1 : Security update for cacti
http://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html
- openSUSE-SU-2016:0437-1 : Security update for cacti
http://lists.opensuse.org/opensuse-updates/2016-02/msg00077.html
- openSUSE-SU-2016:0440-1 : Security update for cacti
http://lists.opensuse.org/opensuse-updates/2016-02/msg00080.html
- Cacti : 0.8.8g
http://www.cacti.net/changelog.php
- DSA 3494-1 : cacti security update https://lists.debian.org/debian-security-announce/2016/msg00064.html
- VuXML : cacti -- multiple vulnerabilities
http://www.vuxml.org/freebsd/db3301be-e01c-11e5-b2bd-002590263bf5.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
SQL injection Prevention - GET : suspicious OR statement in URL
3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL
3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL
3.2.0
SQL injection Prevention - GET : suspicious CAST statement in URL
3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL
3.2.0
SQL injection Prevention - GET : suspicious DECLARE statement in URL
3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL
3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL
3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL
3.2.0
SQL injection Prevention - GET : possible database version probing
3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL
3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL
3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL
3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL
3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL
3.2.0
SQL injection Prevention - GET : block comment delimiters in URL
3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data
5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
5.0.0
SQL injection Prevention - GET : suspicious combination of 'select' and 'sleep' statements in URL
5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data
5.0.0
SQL injection Prevention - GET : Evasion attempt with CAST and EXEC statements
5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data
5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data
5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data
5.0.0
SQL injection Prevention - GET : Authentication bypass attempt with OR statement
5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data
5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data
5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data
5.0.0
SQL injection Prevention - POST : suspicious OR statement in data
5.0.0
SQL injection Prevention - POST : possible version probing in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-12-05 

 Target Type 
Server 

 Possible exploit 
Remote