Together with my friend Antonio "s4tan" Parata we released this advisory affecting Cacti 0.8.7a. Found issues include XSS, SQL Injection, Path Disclosure and HTTP Response Splitting. Some bugs are logical flaws related to the use of $_REQUEST, in detail filters were applied to $_GET or $_POST but later $_REQUEST was used. Since $_REQUEST is build in an order defined in php.ini (normally GPC) it was possible to bypass the check and inject the malicious payload in POST or COOKIE for GET and COOKIE for POST.
Cacti 0.8.7a Multiple Vulnerabilities Name Multiple Vulnerabilities in Cacti Systems Affected Cacti 0.8.7a and possibly earlier versions Severity High Impact (CVSSv2) High (9/10, vector: AV:N/AC:L/Au:N/C:C/I:P/A:P) Vendor http://www.cacti.net/ Advisory http://www_ush_it/team/ush/hack-cacti087a/cacti.txt Author Francesco "ascii" Ongaro (ascii AT ush DOT it) Antonio "s4tan" Parata (s4tan AT ush DOT it) Date 20071218 I. BACKGROUND From the cacti web site: "Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box". II. DESCRIPTION Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,