It is possible to an authenticated user in Cacti to modify the graph_start and graph_end parameters values in the URL, and specify higher numbers than expected in order to make cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034

to this one:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000

rrdtool will take 100% of the CPU (for a long time). By doing multiple requests like this, an attacker may create a denial of service on the server running Cacti.

Proposed patch:

Modify the check done in the file lib/html_validate.php (function input_validate_input_number in Cacti current version) by adding a second check like this:

36a37,39
>        if ($value >= 10000000000) {
>              die_html_input_error();
>        }

So we would have:

function input_validate_input_number($value) {
  if ((!is_numeric($value)) && ($value != "")) {
    die_html_input_error();
  }
  if ($value >= 10000000000) {
    die_html_input_error();
  }
}

I have posted this bug in Cacti bugtracker more than one week ago. It is referenced as CVE-2007-3112.

June 2, 2007, 12:17 pm lock

Add your own comment or set a trackback

Currently 1 comment

Add your own comment

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image



Follow comments according to this article through a RSS 2.0 feed