Raxnet Cacti存在命令执行漏洞发布时间:2002-09-11 更新时间:2002-09-11 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:5627 受影响系统 Raxnet Cacti 0.5详细描述 Raxnet Cacti是监视网络活动的工具,可以从MYSQL中获取信息建立图形和计算详细信息。 Raxnet Cacti没有正确验证用户输入包含的内容,如果在图形标签字段输入命令,这个命令就会被Raxnet Cacti执行。 测试代码 在graphs.php中选择增加新的图象(graphs.php?action=edit),在编辑模式中,选择标题,输入"$(touch /tmp/touched)"作为垂直标签。 解决方案 升级程序: Raxnet Cacti 0.5: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.1: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.2: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.3: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.4: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.5: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.6: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Raxnet Cacti 0.6.7: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz Debian Patch cacti_0.6.7-2.1.dsc http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1.dsc Debian Patch cacti_0.6.7-2.1.diff.gz http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1.diff.gz Debian Patch cacti_0.6.7.orig.tar.gz http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7.orig.tar.gz Debian Patch cacti_0.6.7-2.1_all.deb http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1_all.deb Raxnet Cacti 0.6.8: Raxnet Upgrade cacti-0.6.8a.tar.gz http://www.raxnet.net/downloads/cacti-0.6.8a.tar.gz 相关信息 Routing Table <knights@knights-of-the-routing-table.org> 参考:http://online.securityfocus.com/advisories/4460 http://online.securityfocus.com/archive/1/290323 相关主页:http://www.raxnet.net/products/cacti/ |
