[Bug 599239] New: VUL-0: cacti: SQL injection in template_export

http://bugzilla.novell.com/show_bug.cgi?id=599239 http://bugzilla.novell.com/show_bug.cgi?id=599239#c0 Summary: VUL-0: cacti: SQL injection in template_export Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: crrodriguez@novell.com ReportedBy: lnussel@novell.com QAContact: qa@suse.de CC: security-team@suse.de Found By: Other Blocker: --- Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. ------------------------------------------------------------------------------ Date: Fri, 23 Apr 2010 15:35:25 +0200 From: "Thijs Kinkhorst" Subject: [oss-security] CVE Request: cacti SQL injection in template_export Hi, On Wednesday an SQL injection issue was announced on Full Disclosure by "Bonsai Information Security": http://seclists.org/fulldisclosure/2010/Apr/272, quoting:

A Vulnerability has been discovered in Cacti, which can be exploited by any user to conduct SQL Injection attacks. Input passed via the “export_item_id” parameter to “templates_export.php” script is not properly sanitized before being used in a SQL query.

Upstream has issued a patch for this issue: http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_exportp... (but no new release yet) thanks, Thijs -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.