[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: cacti SQL injection in
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-04-26 19:23:24
Message-ID: 1443512040.1850561272309804241.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

----- "Thijs Kinkhorst" <thijs@debian.org> wrote:
> 
> On Wednesday an SQL injection issue was announced on Full Disclosure by
> "Bonsai Information Security":
> http://seclists.org/fulldisclosure/2010/Apr/272, quoting:
> > 
> > A Vulnerability has been discovered in Cacti, which can be exploited by
> > any user to conduct SQL Injection attacks. Input passed via the
> > "export_item_id" parameter to "templates_export.php" script is not
> > properly sanitized before being used in a SQL query.
> 
> Upstream has issued a patch for this issue:
> http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
> (but no new release yet)
> 

Please use CVE-2010-1431 for this.

Thanks.

-- 
    JB

[prev in list] [next in list] [prev in thread] [next in thread]