We’re a big promoter of Cacti, therefore, we would be remiss not to mention a potential security issue with it and a SQL injection issue that was raised by Secunia.
Keep an eye out and update your installations as soon as possible (as soon as an update or fix is released.)
I saw this yesterday over at milw0rm and I immediately thought of you guys. Of course this can be mitigated if you close off your Cacti installation either with a good firewall rule or with .htaccess password protection (because from what I understand – I never used Cacti myself – only the reporting frontend is vulnerable, which should be accessible only to members of the IT staff anyways)
My installation is internal-use-only, so I’m not overly concerned, but… unless someone was using it in a public-facing configuration.
-KHD
Also, it would be interesting to know if something like mod_security (http://www.modsecurity.org/) or Suhosin (http://www.hardened-php.net/suhosin/index.html) would protect you against this.