Cacti Arbitrary File Creation Leading to Remote Code Execution Vulnerability

A vulnerability in Cacti versions through 1.2.28 allows authenticated users to exploit the graph creation and graph template features. By doing so, they can inject arbitrary PHP scripts into the web root, which can then be executed on the server, leading to remote code execution. This exploitation takes advantage of how Cacti handles user input for graph options, particularly with the rrdtool binary used for graph generation.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated Cacti user can create a graph or modify a graph template. During this process, the user can inject a payload into the 'right_axis_label' option, which is not properly sanitized to remove newline characters. The injected payload can include commands to create a new RRD database and then graph it in a way that executes PHP code, such as a command to output the PHP info.

Remediation

Users can upgrade to Cacti version 1.2.29 to address this vulnerability.