cacti -- SQL injection

ID CA543E06-207A-11D9-814E-0001020EED82
Type freebsd
Reporter FreeBSD
Modified 2004-08-16T00:00:00


Fernando Quintero reports that Cacti 0.8.5a suffers from a SQL injection attack where an attacker can change the password for any Cacti user. This attack is not possible if the PHP option magic_quotes_gpc is set to On, which is the default for PHP in FreeBSD.