Debian Security Advisory

DSA-2060-1 cacti -- insufficient input sanitization

Date Reported:
13 Jun 2010
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 582691.
In Mitre's CVE dictionary: CVE-2010-2092.
More information:

Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value.

For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 0.8.7e-4.

We recommend that you upgrade your cacti packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.