perfsonar-user - Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Jim Warner <>
- To: "" <>
- Cc: "Wang, Yu" <>
- Subject: Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes
- Date: Wed, 18 Jun 2014 08:16:37 -0700
Two things may be mixed together here. The April change to Cacti was to fix a failure to check inputs that could lead to an injection attack. The subject line in the message is about whether guests can make anonymous permanent changes to the state Cacti without being able to take over and deface the web page. That appears to still be possible. It looks like the "work around" in Jason's message can prevent that by blocking guest access to the config page.
On Wed, Jun 18, 2014 at 4:58 AM, Jason Zurawski <> wrote:
All;
The mail in question is in the archive:
https://lists.internet2.edu/sympa/arc/perfsonar-user/2014-04/msg00122.html
Thanks;
-jason
On Jun 17, 2014, at 4:22 PM, Andrew Lake <> wrote:
> Hi,
>
> As a current workaround, I had luck following instructions sent around when a Cacti CVE was announced a few months back. See the forwarded message below. In theory any box updated since then should not need these patches, so we need to find out what else is happening. In the meantime, below should hopefully do the trick.
>
> Thanks,
> Andy
>
>
>
> On Jun 17, 2014, at 4:39 PM, "Wang, Yu" <> wrote:
>
>>
>> Our security team alerted us that our perfsonar box was hacked and defaced and may contain harmful contents. The defacer left their names on cacti graphs ‘settings’ page:
>>
>> <image001.png>
>>
>> After investigations, I found out that our server and mysql database were not compromised. The ‘defacer’ used ‘Cacti Graphs’ link to get to cacti guest page. Then went to ‘settings’; checked ‘Use Custom Fonts’; typed in their names and clicked ‘Save’.
>>
>> Since we have separate cacti server for our network, we never used cacti that came with perfsonar and left it with default configurations (allow guest access to graphs). I randomly checked several perfsonar sites and they all have this settings. My question is “Should we remove/disable guest access or disable ‘Cacti Graphs’ link by default?” Although this kind of action does no damage to server and database, it does put frowns on my supervisor’s face. Not mention I had to put down everything and spend a few hours to check server, database, and logs.
>>
>> I am installing a couple of new perfsonar servers and cacti will not be included.
>>
>> Thank you.
>>
>> Yu Wang
>> ____________________________
>> Network Architect
>> Information Technology Services
>> The Florida State University
>> 850-645-6810
>>
- [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Wang, Yu, 06/17/2014
- Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Andrew Lake, 06/17/2014
- Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Jason Zurawski, 06/18/2014
- Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Jim Warner, 06/18/2014
- Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Jason Zurawski, 06/18/2014
- Re: [perfsonar-user] "Cacti Graphs" allows guest to make setting changes, Andrew Lake, 06/17/2014
Archive powered by MHonArc 2.6.16.