English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 72151 CVE descriptions
and 38907 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.55070
Category:Conectiva Local Security Checks
Title:Conectiva Security Advisory CLSA-2005:978 (cacti)
Summary:Conectiva Security Advisory CLSA-2005:978 (cacti)
Description:
The remote host is missing updates announced in
advisory CLSA-2005:978.

1.CVE-2005-1524
Cacti contains an input validation error in the
top_graph_header.php script that allows an attacker
to include arbitrary PHP code from remote sites.
This in effect allows arbitrary code execution with
the privileges of the web server.

2.CVE-2005-1525
Cacti contains an input validation error in the
config_settings.php script which allows an attacker
to execute arbitrary SQL queries. This in effect
allows an attacker to recover the administrative
password for the Cacti installation. Various scripts
are vulnerable to SQL injection using the 'id' variable.

3.CVE-2005-1526
Cacti contains an input validation error in the
config_settings.php script which allows an attacker
to include arbitrary PHP code from remote sites.
This in effect allows arbitrary code execution with
the privileges of the web server.

IMPORTANT
For Conectiva Linux 10:
The cacti cron command must be changed from
'/srv/www/default/html/cacti/cmd.php' to
'/srv/www/default/html/cacti/poller.php' in order
to get the new cacti properly working.

For Conectiva Linux 9:
The database must be converted in order to make
cacti work again and also apply the above cron change.

For aditional information on upgrading cacti please,
refer to the file /srv/www/default/html/cacti/docs/INSTALL
included in the package.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000978
http://www.cacti.net
http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities&flashstatus=true
http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities&flashstatus=true
http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities&flashstatus=true

Risk factor : High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-1524
http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities&flashstatus=true
Conectiva Linux advisory: CLSA-2005:978
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000978
Debian Security Information: DSA-764 (Google Search)
http://www.debian.org/security/2005/dsa-764
http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
http://www.osvdb.org/17426
http://securitytracker.com/id?1014252
http://secunia.com/advisories/15490
http://secunia.com/advisories/15931
http://secunia.com/advisories/16136
XForce ISS Database: cacti-topgraphheader-file-include(21118)
http://xforce.iss.net/xforce/xfdb/21118
Common Vulnerability Exposure (CVE) ID: CVE-2005-1525
http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities&flashstatus=true
BugTraq ID: 14027
http://www.securityfocus.com/bid/14027
http://www.osvdb.org/17424
XForce ISS Database: cacti-configsettings-sql-injection(21120)
http://xforce.iss.net/xforce/xfdb/21120
Common Vulnerability Exposure (CVE) ID: CVE-2005-1526
http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities
BugTraq ID: 14028
http://www.securityfocus.com/bid/14028
http://www.osvdb.org/17425
XForce ISS Database: cacti-configsettings-file-include(21119)
http://xforce.iss.net/xforce/xfdb/21119
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 38907 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.