Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SQL Injection in CACTI
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Tue, 17 Aug 2004 18:38:11 +0200

Le mar 17/08/2004 à 10:53, Thomas Chiverton a écrit :
                php_flag magic_quotes_gpc Off
Cacti 0.8.5a does not ship with this set Off*, so this must be a Debian 
packaging error.

Cacti does not ship PHP. This option is related to PHP configuration,
not to Cacti, that should not rely on any PHP specific option unless
clearly mentionned (e.g. "Cacti must have magic_quotes_gpc set to On"),
would it be default or not.
I just checked available PHP distros, i.e. 4.3.8 and 5.0.1. They are
shipped with two php.ini files, php.ini-distand php.ini-recommanded. The
first one has magic_quotes_gpc set to On, but it is set to Off in the
second one...

The install instructions at 
http://www.raxnet.net/products/cacti/documentation.php?action=view&id=6
make no mention off having to disable the magic quote feature.

True. And it is not mentionned to have it On either.

I am running this version of Cacti with magic quotes On fine, this is the PHP 
default, afaik.

Cacti should not rely on specific PHP configuration to escape characters
using magic quotes in order to prevent command/code/SQL/whatever
injection, or any security stuff, but its own code to validate user
input.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault