Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Feb 2016 19:51:14 +0100
From: Andreas Stieger <>
Subject: CVE Request: cacti: Authentication using web authentication as a user
 not in the,cacti database allows complete access

Could a CVE ID please assigned for the following issue:
-bug:0002656: Authentication using web authentication as a user not in the
cacti database allows complete access Classified by upstream as a security fix.
Upstream fix is

Accessing cacti using a user name not the cacti database fills the log with
database error messages and allows complete access to everything, including the
user administration pages. The bug is in auth_login.php which fails to check
the query actually found any data or not.

Fixed in tagged but (as of writing) unreleased 0.8.8g.


Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.