[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: cacti SQL injection in template_export
From:       "Thijs Kinkhorst" <thijs () debian ! org>
Date:       2010-04-23 13:35:25
Message-ID: 96642b6e35f857b3b0b4afb1dc23e525.squirrel () wm ! kinkhorst ! nl
[Download RAW message or body]

Hi,

On Wednesday an SQL injection issue was announced on Full Disclosure by
"Bonsai Information Security":
http://seclists.org/fulldisclosure/2010/Apr/272, quoting:
> A Vulnerability has been discovered in Cacti, which can be exploited by
> any user to conduct SQL Injection attacks. Input passed via the
> “export_item_id” parameter to “templates_export.php” script is not
> properly sanitized before being used in a SQL query.

Upstream has issued a patch for this issue:
http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
(but no new release yet)


thanks,
Thijs

[prev in list] [next in list] [prev in thread] [next in thread]