Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not. Upstream bug report: http://bugs.cacti.net/view.php?id=2656 Upstream fix: http://svn.cacti.net/viewvc?view=rev&revision=7770
Created cacti tracking bugs for this issue: Affects: epel-all [bug 1306530]
CVE assignment: http://seclists.org/oss-sec/2016/q1/305