Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200604-07 ] Cacti: Multiple vulnerabilities in included ADOdb
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Fri Apr 14, 2006 9:26 pm    Post subject: [ GLSA 200604-07 ] Cacti: Multiple vulnerabilities in includ Reply with quote

Gentoo Linux Security Advisory

Title: Cacti: Multiple vulnerabilities in included ADOdb (GLSA 200604-07)
Severity: high
Exploitable: remote
Date: April 14, 2006
Bug(s): #129284
ID: 200604-07

Synopsis

Multiple vulnerabilities have been discovered in the ADOdb layer included in Cacti, potentially resulting in the execution of arbitrary code.

Background

Cacti is a complete web-based frontend to rrdtool. ADOdb is a PHP-based database abstraction layer which is included in Cacti.

Affected Packages

Package: net-analyzer/cacti
Vulnerable: < 0.8.6h_p20060108-r2
Unaffected: >= 0.8.6h_p20060108-r2
Architectures: All supported architectures


Description

Several vulnerabilities have been identified in the copy of ADOdb included in Cacti. Andreas Sandblad discovered a dynamic code evaluation vulnerability (CVE-2006-0147) and a potential SQL injection vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL injection vulnerability (CVE-2006-0410), and Gulftech Security discovered multiple cross-site-scripting issues (CVE-2006-0806).

Impact

Remote attackers could trigger these vulnerabilities by sending malicious queries to the Cacti web application, resulting in arbitrary code execution, database compromise through arbitrary SQL execution, and malicious HTML or JavaScript code injection.

Workaround

There is no known workaround at this time.

Resolution

All Cacti users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6h_p20060108-r2"


References

CVE-2006-0146
CVE-2006-0147
CVE-2006-0410
CVE-2006-0806


Last edited by GLSA on Sun May 07, 2006 5:01 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum