GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Dec 06, 2007 12:26 am Post subject: [ GLSA 200712-02 ] Cacti: SQL injection |
|
|
Gentoo Linux Security Advisory
Title: Cacti: SQL injection (GLSA 200712-02)
Severity: normal
Exploitable: remote
Date: December 05, 2007
Bug(s): #199509
ID: 200712-02
Synopsis
An SQL injection vulnerability has been discovered in Cacti.
Background
Cacti is a complete web-based frontend to rrdtool.
Affected Packages
Package: net-analyzer/cacti
Vulnerable: < 0.8.7a
Unaffected: >= 0.8.6j-r7 < 0.8.7
Unaffected: >= 0.8.7a
Architectures: All supported architectures
Description
It has been reported that the "local_graph_id" variable used in the file graph.php is not properly sanitized before being processed in an SQL statement.
Impact
A remote attacker could send a specially crafted request to the vulnerable host, possibly resulting in the execution of arbitrary SQL code.
Workaround
There is no known workaround at this time.
Resolution
All Cacti users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6j-r7" |
References
CVE-2007-6035 |
|