If you are using Percona Monitoring Plugins for Cacti, this article should be important to you.
By default, the Cacti setup is closed from accessing from Web. Here is an excerpt from /etc/httpd/conf.d/cacti.conf:
# httpd 2.4 Require host localhost # httpd 2.2 Order deny,allow Deny from all Allow from localhost
In order, to access the Cacti web interface, most likely, you will be changing this configuration. Commenting out Deny/Require statements will open the Cacti to the local network or Internet. This will create a potential vulnerability to disclose MySQL password contained in scripts under the directory /usr/share/cacti/scripts/, in particular /usr/share/cacti/scripts/ss_get_mysql_stats.php and /usr/share/cacti/scripts/ss_get_mysql_stats.php.cnf, when trying to access them from Web.
Unfortunately, the folder /usr/share/cacti/scripts/ is not closed by default as it is done with /usr/share/cacti/log/ and /usr/share/cacti/rra/ directories.
We strongly recommend to close any access from the web for these additional directories or files:
* /usr/share/cacti/site/scripts/ (for Debian systems)
Here is an example of httpd configuration that can harden your setup (goes to /etc/httpd/conf.d/cacti.conf):
Redirect 404 / Require all denied Order deny,allow Deny from all
Even if you fully password-protected your Cacti installation using HTTP authentication, it is still recommended to double-secure the directories and files listed above.
Thanks to William Lightning for reporting this issue.