North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: [cacti-announce] Cacti 0.8.6j Released (fwd)

  • From: Jeremy Chadwick
  • Date: Thu Jan 18 14:22:56 2007

On Thu, Jan 18, 2007 at 11:40:06AM -0600, Gadi Evron wrote:
> Many of us run cacti. FYI.

Thanks for posting this, even though it's slightly OT.

Not to start an opinion war, but those who do run Cacti should
really consider removing this software from their boxes
permanently.

http://secunia.com/advisories/23528/

For those who don't have the time/care enough to go look
at the Secunia report, I'll summarise it:

1) cmd.php and copy_cacti_user.php both blindly pass
   arguments passed in the URL to system().  This, IMHO, is
   reason enough to not run this software.

2) cmd.php and copy_cacti_user.php both blindly pass
   arguments passed in the URL to whatever SQL back-end
   is used (MySQL most commonly); no escaping or sanitising
   is done.  Otherwise known as an "SQL injection" flaw.

There are other flaws mentioned, but they're simply subsets
of the above two.  Also, register_argc_argv is enabled
(rightfully so) by default in PHP, so don't let that decrease
the severity of this atrocity.  (I can forgive SQL injections,
but cannot blindly calling system()).

I'd been considering (off and on for about a year) using Cacti
for statistics gathering, and now I'm glad I didn't.  This
kind-of flaw reflects directly on the programming ethics and
of the authors behind this software.

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.               PGP: 4BD6C0CB |