Cacti Linux - Get Memory Usage远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118668 漏洞类型 权限许可和访问控制问题
发布时间 2009-11-16 更新时间 2010-01-12
CVE编号 CVE-2009-4112 CNNVD-ID CNNVD-200911-316
漏洞平台 PHP CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/33377
https://www.securityfocus.com/bid/37137
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200911-316
|漏洞详情
Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。 Cacti 0.8.7e及之前版本中存在安全漏洞。攻击者可利用该漏洞获取权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/37145/info

The Joomla! ProofReader component is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

The issue affects ProofReader 1.0 RC9 and prior. 

The following proof-of-concept URIs are available:

http://www.example.com/1";alert(document.cookie);//
http://www.example.com/page?";alert(document.cookie);//
|受影响的产品
S.u.S.E. openSUSE 11.0 Planet Technology WSW-2401 0.8.6 h Planet Technology WSW-2401 0.8.6 g Cacti Cacti 0.8.7 Cacti Cacti 0.8.6 f Cacti Cacti 0.8.6 c Cacti
|参考资料

来源:BID
名称:37137
链接:http://www.securityfocus.com/bid/37137
来源:FULLDISC
名称:20091125Cacti0.8.7e:Multiplesecurityissues
链接:http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html