CVE-2006-6799 - Computer security: vulnerabilities and exploits database

[EN] securityvulns.ru
no-pyccku

CVE CVE-2006-6799
Status Candidate
Description SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function.
Severity High
CVSS score 7
CVSS vector (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Phase Assigned (28.12.2006)
NVD: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6799
References BID : 21799
BUGTRAQ : 20070118 Re: FW: [cacti-announce] Cacti 0.8.6j Released
CONFIRM : http://www.cacti.net/release_notes_0_8_6j.php
DEBIAN : DSA-1250
FRSIRT : ADV-2006-5193
GENTOO : GLSA-200701-23
MANDRIVA : MDKSA-2007:015
MILW0RM : 3029
OPENPKG : OpenPKG-SA-2007.001
SECTRACK : 1017451
SECUNIA : 23528
SECUNIA : 23665
SECUNIA : 23917
SECUNIA : 23941
SUSE : SUSE-SA:2007:007
XF : cacti-cmd-sql-injection(31177)
SecurityVulns: Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)