From: <jer...@or...> - 2017-03-08 10:37:11
|
Hello, I am a student at the University of Lille, in France I begin my studies in network security. I have to present a vulnerability : CVE-2016-3172 (SQL Injection / tree.php) + CVE-2015-8604 (SQL Injection / graphs_new.php) For CVE-2015-8604 : http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2015-8604 http://www.openwall.com/lists/oss-security/2016/03/10/13 Can you explain this vulnerability : - how to reproduce it ? - how to correct it? "The parameter parent_id is used without any validation." - Can you explain what the "parent_id" is, what is its function? - What is the impact ? An example ? I don't have access to cacti bug tracker : - Can you give me a copy of the cacti bug tracker : - Can you tell me, how this CVE was corrected ? The simple principle ? the same thing for CVE-2016-3172 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2016-3172 thank you Cordialement [Logo Orange]<http://www.orange.com/> Jérôme Strabach Analyste Qualité de fonctionnement du Réseaux Cœur Voix ORANGE/OF/DTSI/DERS/DR/DRM/VMI/CCI ET PERF Lyon Sévigné Mobile : +33 6 71 54 75 23 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2071%2054%2075%2023> jer...@or...<mailto:jer...@or...> [cid:image002.png@01D297FD.49A313F0] _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. |
From: Jarosław K. - I. <jk...@in...> - 2017-03-08 12:46:57
|
This version is obsolette use gitversion. Please make an issue on github: https://github.com/Cacti/cacti Regards JK On 08.03.2017 11:37, jer...@or... wrote: > Hello, > > I am a student at the University of Lille, in France > I begin my studies in network security. > I have to present a vulnerability : CVE-2016-3172 (SQL Injection / tree.php) + CVE-2015-8604 (SQL Injection / graphs_new.php) > > For CVE-2015-8604 : > http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2015-8604 > http://www.openwall.com/lists/oss-security/2016/03/10/13 > > Can you explain this vulnerability : > - how to reproduce it ? > - how to correct it? > "The parameter parent_id is used without any validation." > > - Can you explain what the "parent_id" is, what is its function? > > - What is the impact ? An example ? > > > > I don't have access to cacti bug tracker : > > - Can you give me a copy of the cacti bug tracker : > > - Can you tell me, how this CVE was corrected ? The simple principle ? > > > > the same thing for CVE-2016-3172 > > https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2016-3172 > > thank you > > Cordialement > > [Logo Orange]<http://www.orange.com/> > Jérôme Strabach > Analyste Qualité de fonctionnement du Réseaux Cœur Voix > ORANGE/OF/DTSI/DERS/DR/DRM/VMI/CCI ET PERF > Lyon Sévigné > Mobile : +33 6 71 54 75 23 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2071%2054%2075%2023> > jer...@or...<mailto:jer...@or...> > > [cid:image002.png@01D297FD.49A313F0] > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > > > > > ------------------------------------------------------------------------------ > Announcing the Oxford Dictionaries API! The API offers world-renowned > dictionary content that is easy and intuitive to access. Sign up for an > account today to start using our lexical data to power your apps and > projects. Get started today and enter our developer competition. > http://sdm.link/oxford > > > _______________________________________________ > cacti-user mailing list > cac...@li... > https://lists.sourceforge.net/lists/listinfo/cacti-user -- Jarosław Kłopotek kom. 607 893 111 Interduo Ł. Bujek, J. Kłopotek, J. Sowa s.c. ul. Lubelska 36B/40, 21-100 Lubartów tel. 81 475 30 00 |
From: Mik J <mik...@ya...> - 2017-03-14 00:58:52
|
T'es pas très curieux pour quelqu'un qui fait de la sécurité.Tu demandes les réponses sans être allé au bout des choses, certes tu as un peu cherché et bien formulé ton mail mais c'est vraiment pas assez...vraiment pas. Trouve le code avant correctif et après correctif, fais un diff. Tu observeras ce qui a été corrigé et ça sera un bon début pour trouver comment reproduire l'exploit. Et prépare toi à recevoir du spam puisque tu as écris avec ta boite pro =)) Le Mercredi 8 mars 2017 11h38, "jer...@or..." <jer...@or...> a écrit : Hello, I am a student at the University of Lille, in France I begin my studies in network security. I have to present a vulnerability : CVE-2016-3172 (SQL Injection / tree.php) + CVE-2015-8604 (SQL Injection / graphs_new.php) For CVE-2015-8604 : http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2015-8604 http://www.openwall.com/lists/oss-security/2016/03/10/13 Can you explain this vulnerability : - how to reproduce it ? - how to correct it? "The parameter parent_id is used without any validation." - Can you explain what the "parent_id" is, what is its function? - What is the impact ? An example ? I don't have access to cacti bug tracker : - Can you give me a copy of the cacti bug tracker : - Can you tell me, how this CVE was corrected ? The simple principle ? the same thing for CVE-2016-3172 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2016-3172 thank you Cordialement [Logo Orange]<http://www.orange.com/> Jérôme Strabach Analyste Qualité de fonctionnement du Réseaux Cœur Voix ORANGE/OF/DTSI/DERS/DR/DRM/VMI/CCI ET PERF Lyon Sévigné Mobile : +33 6 71 54 75 23 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2071%2054%2075%2023> jer...@or...<mailto:jer...@or...> [cid:image002.png@01D297FD.49A313F0] _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ cacti-user mailing list cac...@li... https://lists.sourceforge.net/lists/listinfo/cacti-user |