Description:
-----------

It is possible to an authenticated user in Cacti to modify the
graph_start and graph_end parameters values in the URL, and specify
higher numbers than expected in order to make Cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034

to this one:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000

rrdtool will take 100% of the CPU (for a long time). By doing multiple
requests like this, an attacker may create a denial of service on the
server running Cacti.

This was tested on the current version, but should work on previous
versions as well.

Solution:
--------

You should ùodify the check done in the file lib/html_validate.php
(function input_validate_input_number) by adding a second check like this:

function input_validate_input_number($value) {
  if ((!is_numeric($value)) && ($value != "")) {
    die_html_input_error();
  }
  if ($value >= 10000000000) {
    die_html_input_error();
  }
}

The Cacti team has now patched the source in their SVN :
http://svn.cacti.net/cgi-bin/viewcvs.cgi/branches/BRANCH_0_8_6/cacti/graph_image.php?rev=3956&r1=3898&r2=39

More info:
---------

http://mdessus.free.fr/?p=15
http://bugs.cacti.net/view.php?id=955

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/