Re: SQL Injection in CACTI

[Cedric Blancher <blancher () cartel-securite fr>]

Le mar 17/08/2004 à 10:53, Thomas Chiverton a écrit :
> >                 php_flag magic_quotes_gpc Off
> Cacti 0.8.5a does not ship with this set Off*, so this must be a Debian 
> packaging error.

Cacti does not ship PHP. This option is related to PHP configuration,
not to Cacti, that should not rely on any PHP specific option unless
clearly mentionned (e.g. "Cacti must have magic_quotes_gpc set to On"),
would it be default or not.
I just checked available PHP distros, i.e. 4.3.8 and 5.0.1. They are
shipped with two php.ini files, php.ini-distand php.ini-recommanded. The
first one has magic_quotes_gpc set to On, but it is set to Off in the
second one...

> The install instructions at 
> http://www.raxnet.net/products/cacti/documentation.php?action=view&id=6
> make no mention off having to disable the magic quote feature.

True. And it is not mentionned to have it On either.

> I am running this version of Cacti with magic quotes On fine, this is the PHP 
> default, afaik.

Cacti should not rely on specific PHP configuration to escape characters
using magic quotes in order to prevent command/code/SQL/whatever
injection, or any security stuff, but its own code to validate user
input.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!