BUG: SNMP passwords processed unescaped

philipp123 · Post by **philipp123** » Thu Dec 04, 2014 6:58 am

SNMPv3 passwords are passed by Cacti to mysql unescaped. So if I wish to use a single-quote character (') in my password, it will break data collection and generate a mysql syntax error. Please would you kindly fix.

Thanks,

Philip

BSOD2600 · Post by **BSOD2600** » Thu Dec 04, 2014 5:07 pm

What version of Cacti, OS, mysql, and php?

If not already on 0.8.8c, please upgrade and try to repro again. If successful, file a bug: http://www.cacti.net/bugs.php

philipp123 · Post by **philipp123** » Thu Dec 04, 2014 6:25 pm

Cacti Version 0.8.8a
PHP Version 5.3.3
mysql Server version: 5.1.61

I've worked-around it by changing to a different password, but it's exactly the kind of thing that would catch the unwary.

BSOD2600 · Post by **BSOD2600** » Fri Dec 05, 2014 7:26 pm

thanks for the report.

you do know those versions of php/mysql are EOL and filled with vulnerabilities, right?

cigamit · Post by **cigamit** » Fri Dec 05, 2014 9:57 pm

BSOD2600 wrote:you do know those versions of php/mysql are EOL and filled with vulnerabilities, right?

PHP 5.3.3 on Redhat/Centos will receive backported security fixes until Nov 2020.

BSOD2600 · Post by **BSOD2600** » Mon Dec 08, 2014 4:35 pm

Really?! bah! Time to stop living in the past.

cigamit · Post by **cigamit** » Mon Dec 08, 2014 4:44 pm

BSOD2600 wrote:Really?! bah! Time to stop living in the past.

I will probably stay with PHP 5.3.3 until 2020 (or find another repo). I refuse to upgrade to Centos 7, since it contains systemd.

Cacti

BUG: SNMP passwords processed unescaped

BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Re: BUG: SNMP passwords processed unescaped

Who is online