Summary
There is a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file ‘managers.php’
.
An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/cacti/managers.php’
with an SQLi payload in the ‘selected_graphs_array’
HTTP GET parameter.
Details
The vulnerability occurs in the function ‘form_actions’
in the file ‘managers.php’
.
Passing the ‘selected_items’
and ‘action_receivers’
HTTP parameters (1. and 2.) allows access to the dangerous statement (3.), which performs deserialization of the provided value.
The function ‘get_nfilter_request_var’
performs no sanitization, as shown by the description of the function from a comment above its definition, it “returns the value of the request variable deferring any filtering”. Similarly, ‘stripslashes’
simply removes any backslashes from the input that are escaping quotes, and so also does not perform meaningful sanitization.
The ‘cacti_unserialize’
function makes use of the ‘allowed_classes’
argument to remove any vectors for PHP Object Injection, but does not otherwise perform any sanitization on the deserialized value.
Passing a value in the parameter ‘selected_graphs_array’
that will deserialize allows entering the subsequent conditional block. Passing a value of 1,2, or 3 in the parameter ‘drp_action’
(4.) allows entering a block in which raw SQL queries are constructed, and subsequently executed on the database via ‘db_execute’
. In each of these blocks SQLi is possible.
The array ‘$selected_items’
is imploded (joined) and then directly concatenated into the SQL query.
Therefore, to exploit this, an attacker could send a serialized array containing a string with a SQLi payload, which would be:
- deserialized to an in-memory array,
- joined into a single string,
- concatenated into a raw SQL query,
- executed on the database.
PoC
The vulnerability may be triggered by signing into a low privilege account that has the “Settings/Utilities” permission and making an HTTP GET request to the endpoint ‘/cacti/managers.php’
. The screenshot below shows reproduction in BurpSuite.
Note that it is required there is at least 1 row in the affected tables for the injection to trigger. Testing data can be added through the user interface on the endpoint ‘/cacti/managers.php’
.
A PoC script that uses the injection to demonstrate a legitimate attack via this vector can be provided to the Cacti maintainers upon request.
Impact
Using a time-based blind SQLi technique the attacker can disclose Cacti database contents, and depending on database configuration, may be able to achieve further impacts such as arbitrary file read, or even potentially remote code execution via arbitrary file write.
Credit
Credit for discover goes to Synopsys CyRC researcher Matthew Hogg
Summary
There is a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file
‘managers.php’
.An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint
‘/cacti/managers.php’
with an SQLi payload in the‘selected_graphs_array’
HTTP GET parameter.Details
The vulnerability occurs in the function
‘form_actions’
in the file‘managers.php’
.Passing the
‘selected_items’
and‘action_receivers’
HTTP parameters (1. and 2.) allows access to the dangerous statement (3.), which performs deserialization of the provided value.The function
‘get_nfilter_request_var’
performs no sanitization, as shown by the description of the function from a comment above its definition, it “returns the value of the request variable deferring any filtering”. Similarly,‘stripslashes’
simply removes any backslashes from the input that are escaping quotes, and so also does not perform meaningful sanitization.The
‘cacti_unserialize’
function makes use of the‘allowed_classes’
argument to remove any vectors for PHP Object Injection, but does not otherwise perform any sanitization on the deserialized value.Passing a value in the parameter
‘selected_graphs_array’
that will deserialize allows entering the subsequent conditional block. Passing a value of 1,2, or 3 in the parameter‘drp_action’
(4.) allows entering a block in which raw SQL queries are constructed, and subsequently executed on the database via‘db_execute’
. In each of these blocks SQLi is possible.The array
‘$selected_items’
is imploded (joined) and then directly concatenated into the SQL query.Therefore, to exploit this, an attacker could send a serialized array containing a string with a SQLi payload, which would be:
PoC
The vulnerability may be triggered by signing into a low privilege account that has the “Settings/Utilities” permission and making an HTTP GET request to the endpoint
‘/cacti/managers.php’
. The screenshot below shows reproduction in BurpSuite.Note that it is required there is at least 1 row in the affected tables for the injection to trigger. Testing data can be added through the user interface on the endpoint
‘/cacti/managers.php’
.A PoC script that uses the injection to demonstrate a legitimate attack via this vector can be provided to the Cacti maintainers upon request.
Impact
Using a time-based blind SQLi technique the attacker can disclose Cacti database contents, and depending on database configuration, may be able to achieve further impacts such as arbitrary file read, or even potentially remote code execution via arbitrary file write.
Credit
Credit for discover goes to Synopsys CyRC researcher Matthew Hogg