net/cacit explort

Jeremy Chadwick koitsu at
Fri Jan 12 16:17:43 UTC 2007

On Thu, Jan 11, 2007 at 10:04:42PM -0500, Dan Langille wrote:
> There is an exploit out for cacti.  Details here:
> Patches here:
> There is no new release yet.  Shall I create a PR with the above 
> patches?  [I'm about to create a patch for the port now and apply it 
> to my server via port upgrade]

Thanks greatly for this, Dan.

Secunia released this announcement, since there's no details of the
actual problem in the forum threads:

I'm absolutely amazed.  This is not the fault of PHP (which has its
own security issues), but the fault of the cacti authors for making
blind assumptions.  It doesn't take a genius, especially on a UNIX
system, to think about the repercussions of passing URL arguments
directly to system()-executed commands.

I'd been considering (off and on for about a year) using cacti for
statistics gathering, and now I'm glad I didn't.  This kind-of
flaw is a direct reflection of bad programming, not "bad code".

| Jeremy Chadwick                                 jdc at |
| Parodius Networking               |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.               PGP: 4BD6C0CB |

More information about the freebsd-ports mailing list