oss-sec mailing list archives
Re: CVE Request -- Cacti v0.8.7 -- three security fixes
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 27 May 2010 15:41:35 -0400 (EDT)
On Wed, 26 May 2010, Josh Bressers wrote:
[A], MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html http://www.vupen.com/english/advisories/2010/1204 Credit: The vulnerability was discovered by Stefan Esser as part of the SQL Injection Marathon. Upstream changeset: http://svn.cacti.net/viewvc?view=rev&revision=5920Steve, you've been handling the MOPS stuff. I'm going to leave this one alone unless you tell me otherwise (I don't want to dupe).
Use CVE-2010-2092, to be filled in later today (with a bunch of other MOPS issues).
[C], SQL injection and shell escaping issues reported by Bonsai Information Security (http://www.bonsai-sec.com)
Josh assigned CVE-2010-1645 for the OS command issue.The SQL injection that Jan is referring to in the original request is most likely CVE-2010-1431, which was disclosed by Bonsai back in April.
- Steve
Current thread:
- CVE Request -- Cacti v0.8.7 -- three security fixes Jan Lieskovsky (May 24)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Josh Bressers (May 26)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (May 27)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Jan Lieskovsky (Jun 01)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Larry Adams (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Tony Roman (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (May 27)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Josh Bressers (May 26)