Brief analysis of a SQL injection in Cacti 0.8.8b

Back in September 2013 I wanted to practice some code auditing and picked the latest version of Cacti (v0.8.8b at the time). I spent a few hours looking into the code and also assessing a running instance of Cacti and this exercise resulted in a few vulnerabilities. I was motivated to finally put together this write-up since several SQL injections were fixed in Cacti in July 2015. As of this writing (September 2015), it seems like this vulnerability is still present in the latest version of Cacti.

For those who don’t know, Cacti is a quite popular network monitoring tool pretty similar to Zabbix and Nagios. A quick Google search for intitle:”Login to Cacti” comes up with more than 4,000 results. Finding high severity bugs in Cacti means that chances are very high an attacker will actually break into a box located in a privileged position in the network, as it needs to be positioned in a way to monitor traffic and events.

Cacti is a PHP application and I have to say, it’s miserable from a security point of view.
Continue reading “Brief analysis of a SQL injection in Cacti 0.8.8b”

Brief analysis of a SQL injection in Cacti 0.8.8b