Date: Tue, 9 Feb 2016 19:51:14 +0100 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Request: cacti: Authentication using web authentication as a user not in the,cacti database allows complete access Could a CVE ID please assigned for the following issue: http://svn.cacti.net/viewvc/cacti/tags/0.8.8g/docs/CHANGELOG?revision=7788&view=markup -bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access http://bugs.cacti.net/view.php?id=2656 Classified by upstream as a security fix. Upstream fix is http://svn.cacti.net/viewvc?view=rev&revision=7770 https://bugzilla.suse.com/show_bug.cgi?id=965930 Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not. Fixed in tagged but (as of writing) unreleased 0.8.8g. Thanks, Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ