Date: Tue, 9 Feb 2016 19:51:14 +0100 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Request: cacti: Authentication using web authentication as a user not in the,cacti database allows complete access Could a CVE ID please assigned for the following issue: http://svn.cacti.net/viewvc/cacti/tags/0.8.8g/docs/CHANGELOG?revision=7788&view=markup -bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access http://bugs.cacti.net/view.php?id=2656 Classified by upstream as a security fix. Upstream fix is http://svn.cacti.net/viewvc?view=rev&revision=7770 https://bugzilla.suse.com/show_bug.cgi?id=965930 Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not. Fixed in tagged but (as of writing) unreleased 0.8.8g. Thanks, Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.