GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Apr 14, 2006 9:26 pm Post subject: [ GLSA 200604-07 ] Cacti: Multiple vulnerabilities in includ |
 |
|
Gentoo Linux Security Advisory
Title: Cacti: Multiple vulnerabilities in included ADOdb (GLSA 200604-07)
Severity: high
Exploitable: remote
Date: April 14, 2006
Bug(s): #129284
ID: 200604-07
Synopsis
Multiple vulnerabilities have been discovered in the ADOdb layer included in Cacti, potentially resulting in the execution of arbitrary code.
Background
Cacti is a complete web-based frontend to rrdtool. ADOdb is a PHP-based database abstraction layer which is included in Cacti.
Affected Packages
Package: net-analyzer/cacti
Vulnerable: < 0.8.6h_p20060108-r2
Unaffected: >= 0.8.6h_p20060108-r2
Architectures: All supported architectures
Description
Several vulnerabilities have been identified in the copy of ADOdb included in Cacti. Andreas Sandblad discovered a dynamic code evaluation vulnerability (CVE-2006-0147) and a potential SQL injection vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL injection vulnerability (CVE-2006-0410), and Gulftech Security discovered multiple cross-site-scripting issues (CVE-2006-0806).
Impact
Remote attackers could trigger these vulnerabilities by sending malicious queries to the Cacti web application, resulting in arbitrary code execution, database compromise through arbitrary SQL execution, and malicious HTML or JavaScript code injection.
Workaround
There is no known workaround at this time.
Resolution
All Cacti users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6h_p20060108-r2" |
References
CVE-2006-0146
CVE-2006-0147
CVE-2006-0410
CVE-2006-0806
Last edited by GLSA on Sun May 07, 2006 5:01 pm; edited 1 time in total |
|
News & Announcements
