Mailinglist Archive: opensuse-bugs (4766 mails)

< Previous Next >
[Bug 599239] New: VUL-0: cacti: SQL injection in template_export
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 23 Apr 2010 14:14:51 +0000
  • Message-id: <bug-599239-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>
http://bugzilla.novell.com/show_bug.cgi?id=599239

http://bugzilla.novell.com/show_bug.cgi?id=599239#c0


Summary: VUL-0: cacti: SQL injection in template_export
Classification: openSUSE
Product: openSUSE 11.0
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
AssignedTo: crrodriguez@xxxxxxxxxx
ReportedBy: lnussel@xxxxxxxxxx
QAContact: qa@xxxxxxx
CC: security-team@xxxxxxx
Found By: Other
Blocker: ---


Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Fri, 23 Apr 2010 15:35:25 +0200
From: "Thijs Kinkhorst" <thijs@xxxxxxxxxx>
Subject: [oss-security] CVE Request: cacti SQL injection in template_export

Hi,

On Wednesday an SQL injection issue was announced on Full Disclosure by
"Bonsai Information Security":
http://seclists.org/fulldisclosure/2010/Apr/272, quoting:
A Vulnerability has been discovered in Cacti, which can be exploited by
any user to conduct SQL Injection attacks. Input passed via the
“export_item_id” parameter to “templates_export.php” script is not
properly sanitized before being used in a SQL query.

Upstream has issued a patch for this issue:
http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_exportpatch
(but no new release yet)


thanks,
Thijs

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
< Previous Next >