Multiple input sanitization flaws were discovered in cacti. Authenticated cacti administrator could use these flaws to run shell commands with web server privileges. Note: cacti administrator is always allowed to run commands as cacti user. References: http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php http://www.cacti.net/release_notes_0_8_7f.php Upstream commits: http://svn.cacti.net/viewvc?view=rev&revision=5778 http://svn.cacti.net/viewvc?view=rev&revision=5782 http://svn.cacti.net/viewvc?view=rev&revision=5784 See also bug #595289 for some related discussion.
*** Bug 586064 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Red Hat HPC Solution for RHEL 5 Via RHSA-2010:0635 https://rhn.redhat.com/errata/RHSA-2010-0635.html