Cacti <= 0.8.7e - OS Command Injection

2014-07-01T00:00:00
ID SSV:68393
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

The vulnerability can be triggered by any user doing: 1) Edit or Create a Device with FQDN ‘NotARealIPAddress;CMD;’ (without single quotes) and Save it. Edit the Device again and reload any data query already created. CMD will be executed with Web Server rights. 2) Edit or Create a Graph Template and use as Vertical Label ‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to Graph Management section and Select it. CMD will be executed with Web Server rights. Note that other properties of a Graph Template might also be affected.