Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Cacti Denial of Service
From: Mathieu Dessus <mdessus () gmail com>
Date: Wed, 06 Jun 2007 01:32:34 +0200


It is possible to an authenticated user in Cacti to modify the
graph_start and graph_end parameters values in the URL, and specify
higher numbers than expected in order to make Cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:


to this one:


rrdtool will take 100% of the CPU (for a long time). By doing multiple
requests like this, an attacker may create a denial of service on the
server running Cacti.

This was tested on the current version, but should work on previous
versions as well.


You should ├╣odify the check done in the file lib/html_validate.php
(function input_validate_input_number) by adding a second check like this:

function input_validate_input_number($value) {
  if ((!is_numeric($value)) && ($value != "")) {
  if ($value >= 10000000000) {

The Cacti team has now patched the source in their SVN :

More info:


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Cacti Denial of Service Mathieu Dessus (Jun 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]