FW: [cacti-announce] Cacti 0.8.6j Released (fwd)

Jon Lewis jlewis at lewis.org
Thu Jan 18 20:40:15 UTC 2007

On Thu, 18 Jan 2007, Jeremy Chadwick wrote:

> For those who don't have the time/care enough to go look
> at the Secunia report, I'll summarise it:
> 1) cmd.php and copy_cacti_user.php both blindly pass
>   arguments passed in the URL to system().  This, IMHO, is
>   reason enough to not run this software.

I've said this several times recently in less public places, but IMO, 
cacti is a bit of a security train wreck.  The glaring problem isn't that 
the above mentioned php scripts have poor security / user supplied input 
sanitization.  It's that those scripts were never intended to be run via 
the web server.  So WTF are they doing in a directory served by the web 
server in a default cacti install?  It seems to me, it would make much 
more sense for cacti to either split itself into 2 totally separate 
directories, one for things the web server needs to serve, one for 
everything else, or at least put all the 'web content' portions under one 
subdirectory of the cacti install directory, so that subdirectory can be 
either the DocumentRoot of a server or symlinked from elsewhere in a 
DocumentRoot.  There's no reason for things like poller.php or any of the 
others that are only meant to be run by the admin from the commandline to 
be in directories served by the web server.

I've heard from several people, and spent some time trying to help one of 
them, who had servers compromised (entry via cacti, then a local root 
compromise) over the past weekend due to this.

  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the NANOG mailing list