Secunia

Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to conduct SQL injection attacks or compromise a vulnerable system.

1) Input passed to the "id" parameter in config_settings.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to the "config[include_path]" parameter in config_settings.php and the "config[library_path]" parameter in top_graph_header.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from external or local resources.

Successful exploitation requires that the "register_global" feature is enabled.

3) Input passed to the "graph_start" parameter in "graph_image.php" isn't properly verified before being used. This can be exploited to inject arbitrary shell commands.

NOTE: The vulnerabilities #1 and #3 were originally fixed in version 0.8.6e. However, it is reportedly possible to bypass the added security checks via a specially crafted combination of GET and POST/COOKIE data.

Solution
Update to version 0.8.6f.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered by anonymous person and reported via iDEFENSE.
2) Maciej Piotr Falkiewicz
3) Alberto Trivero

Additional information provided by:
Stefan Esser, Hardened-PHP Project

Changelog
Further details available in Customer Area

Original Advisory
Cacti.net:
http://www.cacti.net/changelog.php
http://www.cacti.net/release_notes_0_8_6e.php

iDEFENSE:
http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities

Stefan Esser:
http://www.hardened-php.net/advisory-032005.php
http://www.hardened-php.net/advisory-042005.php

Deep Links
Links available in Customer Area