graph.php security fixed

nocmanager · Post by **nocmanager** » Wed Jan 22, 2003 10:29 am

I noticed that when you access CACTI with http://x.x.x.x/cacti/graph.php?rraid=al ... id=some_id where som_id is a valid ID from rrd_graph table, then you can see the graph itself without any authorisation. I removed guest user but it didn't help. So, you can walk all numbers from 1 to infinity and actualy see all graphs in the system.

aratux(guest) · Post by **aratux(guest)** » Sun Jan 26, 2003 5:55 am

Believe me, that doesn't happen with me.
Mostly you use an old version.
When I try what you have said, I get access denied message.

Regards
Mohamed Eldesoky

nocmanager · Post by **nocmanager** » Wed Feb 05, 2003 6:57 am

Yes, I found out when it happened. When I removed guest user completely I could access graphs in this way, so it is not adviced to remove guest user, only to take all privileges from him, then it works fine.

Cacti

graph.php security fixed

graph.php security fixed

Who is online