=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN027
_____________________________________________________________________

DATE                      : 13/02/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Cacti.

======================================================================
http://sourceforge.net/mailarchive/message.php?msg_name=47B11A15.4000405%40disorder.com
______________________________________________________________________

Multiple security vulnerabilities have been discovered in Cacti's web
interface:

* XSS vulnerabilities
* Path disclosure vulnerabilities
* SQL injection vulnerabilities
* HTTP response splitting vulnerabilities

All the above issues have been addressed in a new release of Cacti:

* 0.8.7b - http://www.cacti.net/downloads/cacti-0.8.7b.tar.gz
* 0.8.6k - http://www.cacti.net/downloads/cacti-0.8.6k.tar.gz

Patches for the following versions are available at:

* 0.8.7a - http://www.cacti.net/download_patches.php?version=0.8.7a
* 0.8.6j - http://www.cacti.net/download_patches.php?version=0.8.6j


Sincerely,

The Cacti Group


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================