Control: severity -1 important Control: tags -1 pending Hi all,
On 07-11-17 22:17, Salvatore Bonaccorso wrote: > Severity: grave > CVE-2017-16641[0]: > | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators > | to execute arbitrary OS commands via the path_rrdtool parameter in an > | action=save request to settings.php. Although this is true, and this parameter is not meant to be used like this, the cacti *admin* has always had this possibility via the "Data Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be raised. I just confirmed that I could indeed still do the via that (trivial) route. So just to be clear (and I don't particularly like it), the power of the cacti *admin* has been long known and has been accepted as unfixed for multiple Debian releases. Therefor I lower the severity of this bug. Unfortunately the upstream patch for this bug does not simply apply to pre 1.x versions of cacti. I am not comfortable (yet) with creating a patch for those versions, and due to CVE-2009-4112, I don't think it is worth fixing this in stable and older. Paul PS on other option is to raise the severity of 561339 again, but I don't expect the patch to then miraculously turn up.
signature.asc
Description: OpenPGP digital signature