ID CVE-2006-6799
Summary SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function.
References
Vulnerable Configurations
  • cpe:2.3:a:the_cacti_group:cacti:0.8.6i
    cpe:2.3:a:the_cacti_group:cacti:0.8.6i
CVSS
Base: 7.5 (as of 29-12-2006 - 09:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
id EDB-ID:3029
nessus via4
  • NASL family CGI abuses
    NASL id CACTI_CMD_PHP_CMD_EXEC.NASL
    description The remote host is running Cacti, a web-based, front end to RRDTool for network graphing. The version of Cacti on the remote host does not properly check to ensure that the 'cmd.php' script is being run from a commandline and fails to sanitize user-supplied input before using it in database queries. Provided PHP's 'register_argc_argv' parameter is enabled, which is the default, an attacker can launch SQL injection attacks against the underlying database and even to execute arbitrary code on the remote host subject to the privileges of the web server user id.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 23963
    published 2007-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23963
    title Cacti cmd.php Multiple Parameter SQL Injection Arbitrary Command Execution
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200701-23.NASL
    description The remote host is affected by the vulnerability described in GLSA-200701-23 (Cacti: Command execution and SQL injection) rgod discovered that the Cacti cmd.php and copy_cacti_user.php scripts do not properly control access to the command shell, and are remotely accessible by unauthenticated users. This allows SQL injection via cmd.php and copy_cacti_user.php URLs. Further, the results from the injected SQL query are not properly sanitized before being passed to a command shell. The vulnerabilities require that the 'register_argc_argv' option is enabled, which is the Gentoo default. Also, a number of similar problems in other scripts were reported. Impact : These vulnerabilties can result in the execution of arbitrary shell commands or information disclosure via crafted SQL queries. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 24308
    published 2007-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24308
    title GLSA-200701-23 : Cacti: Command execution and SQL injection
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CACTI-2447.NASL
    description A command injection in cmd.php in cacti was fixed, which might have allowed remote attackers to inject commands and so execute code. (CVE-2006-6799)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27169
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27169
    title openSUSE 10 Security Update : cacti (cacti-2447)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1250.NASL
    description It was discovered that cacti, a frontend to rrdtool, performs insufficient validation of data passed to the 'cmd' script, which allows SQL injection and the execution of arbitrary shell commands.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 24247
    published 2007-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24247
    title Debian DSA-1250-1 : cacti - missing input sanitising
refmap via4
bid 21799
bugtraq 20070118 Re: FW: [cacti-announce] Cacti 0.8.6j Released
confirm http://www.cacti.net/release_notes_0_8_6j.php
debian DSA-1250
exploit-db 3029
gentoo GLSA-200701-23
mandriva MDKSA-2007:015
openpkg OpenPKG-SA-2007.001
sectrack 1017451
secunia
  • 23528
  • 23665
  • 23917
  • 23941
suse SUSE-SA:2007:007
vupen ADV-2006-5193
xf cacti-cmd-sql-injection(31177)
Last major update 07-03-2011 - 21:47
Published 28-12-2006 - 16:28
Last modified 17-10-2018 - 17:49
Back to Top