oss-sec mailing list archives
Re: CVE Request: cacti SQL injection in template_export
From: Josh Bressers <bressers () redhat com>
Date: Mon, 26 Apr 2010 15:23:24 -0400 (EDT)
----- "Thijs Kinkhorst" <thijs () debian org> wrote:
On Wednesday an SQL injection issue was announced on Full Disclosure by "Bonsai Information Security": http://seclists.org/fulldisclosure/2010/Apr/272, quoting:A Vulnerability has been discovered in Cacti, which can be exploited by any user to conduct SQL Injection attacks. Input passed via the “export_item_id” parameter to “templates_export.php” script is not properly sanitized before being used in a SQL query.Upstream has issued a patch for this issue: http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch (but no new release yet)
Please use CVE-2010-1431 for this. Thanks. -- JB
Current thread:
- CVE Request: cacti SQL injection in template_export Thijs Kinkhorst (Apr 23)
- Re: CVE Request: cacti SQL injection in template_export Josh Bressers (Apr 26)