Joined: 12 May 2004
|Posted: Thu Dec 06, 2007 12:26 am Post subject: [ GLSA 200712-02 ] Cacti: SQL injection
|Gentoo Linux Security Advisory
Title: Cacti: SQL injection (GLSA 200712-02)
Date: December 05, 2007
An SQL injection vulnerability has been discovered in Cacti.
Cacti is a complete web-based frontend to rrdtool.
Vulnerable: < 0.8.7a
Unaffected: >= 0.8.6j-r7 < 0.8.7
Unaffected: >= 0.8.7a
Architectures: All supported architectures
It has been reported that the "local_graph_id" variable used in the file graph.php is not properly sanitized before being processed in an SQL statement.
A remote attacker could send a specially crafted request to the vulnerable host, possibly resulting in the execution of arbitrary SQL code.
There is no known workaround at this time.
All Cacti users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6j-r7"