FW: [cacti-announce] Cacti 0.8.6j Released (fwd)
nanog at jdc.parodius.com
Thu Jan 18 19:21:00 UTC 2007
On Thu, Jan 18, 2007 at 11:40:06AM -0600, Gadi Evron wrote:
> Many of us run cacti. FYI.
Thanks for posting this, even though it's slightly OT.
Not to start an opinion war, but those who do run Cacti should
really consider removing this software from their boxes
For those who don't have the time/care enough to go look
at the Secunia report, I'll summarise it:
1) cmd.php and copy_cacti_user.php both blindly pass
arguments passed in the URL to system(). This, IMHO, is
reason enough to not run this software.
2) cmd.php and copy_cacti_user.php both blindly pass
arguments passed in the URL to whatever SQL back-end
is used (MySQL most commonly); no escaping or sanitising
is done. Otherwise known as an "SQL injection" flaw.
There are other flaws mentioned, but they're simply subsets
of the above two. Also, register_argc_argv is enabled
(rightfully so) by default in PHP, so don't let that decrease
the severity of this atrocity. (I can forgive SQL injections,
but cannot blindly calling system()).
I'd been considering (off and on for about a year) using Cacti
for statistics gathering, and now I'm glad I didn't. This
kind-of flaw reflects directly on the programming ethics and
of the authors behind this software.
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the NANOG