[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cacti: CVE-2019-16723

Hi Salvatore, Paul,

I had a look at this issue in jessie, stretch and buster. I concluded that
jessie and stretch are not affected. I have reproduced the issue in buster.

# Quick breakdown:

Graphs are retrieved using rrdtool_function_graph() from lib/rrd.php, this
is true for jessie onwards.

rrdtool_function_graph() has a check for permissions, which is in fact very
similar to the ones introduced in 7a6a17252 and c7cf4a26e.

Before cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326[0] this check in
rrdtool_function_graph() was always executed. After this commit the check
is only executed when $user > 0.

Note: 0 is the default value for $user:


    function rrdtool_function_graph($local_graph_id, $rra_id, $graph_data_array,
        $rrdtool_pipe = '', &$xport_meta = array(), $user = 0) {

However graph_image.php, graph_json.php and rrdtool_function_xport() call
rrdtool_function_graph() without passing $user:


    $output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);

Hence, permissions are never checked after this commit. I don't think this
is the intended affect.

Now, let's try something: take 1.2.2+ds1-2+deb10u1, the version in buster
which is affected and simply revert cf73ae1a9f65b5a27d7f9d10:

--- a/lib/rrd.php       2019-10-16 13:24:08.590183640 +0200
+++ b/lib/rrd.php       2019-10-16 13:24:34.302046280 +0200
@@ -1171,11 +1171,11 @@

        /* before we do anything; make sure the user has permission to view this graph,
        if not then get out */
-       if ($user > 0) {
+       //if ($user > 0) {
                if (!is_graph_allowed($local_graph_id, $user)) {
                        return 'GRAPH ACCESS DENIED';
-       }
+       //}

        if (getenv('LANG') == '') {
                putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) . '.UTF-8');

Try to reproduce: this is sufficient to "fix" the issue and appears to
confirm previous analysis.

Any comments?


[0] https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132

                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: