Two vulnerabilities were discovered in Cacti, a web interface for graphing of monitoring systems: CVE-2013-5588 install/index.php and cacti/host.php suffered from Cross-Site Scripting vulnerabilities. CVE-2013-5589 cacti/host.php contained an SQL injection vulnerability, allowing an attacker to execute SQL code on the database used by Cacti.

For the oldstable distribution (squeeze), these problems have been fixed in version 0.8.7g-1+squeeze3. For the stable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u2. For the unstable distribution (sid), these problems have been fixed in version 0.8.8b+dfsg-3. We recommend that you upgrade your cacti packages.

Cacti is a complete frontend to rrdtool, it stores all of the necessary information to create graphs and populates them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering also. There is also SNMP support for those used to creating traffic graphs with MRTG.

cacti on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2747.html

---

Updated on 2015-03-25