Skip to content

Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path

Moderate
netniV published GHSA-pv2c-97pp-vxwg Jan 26, 2025

Package

Cacti (PHP)

Affected versions

1.2.27

Patched versions

1.2.29

Description

Summary

An admin can change Poller Standard Error Log Path parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI.

Details

An admin can change the Poller Standard Error Log Path in installation step 5 (no need to complete the steps before or after step 5) to a local file such as /etc/passwd and view the content of /etc/passwd file under the Logs tab as seen in the screenshots below.

image

image

Ad admin user (or users with the privilege to change Poller Standard Error Log Path under Configuration->Settings->Paths tab ) can achieve the same result from Configuration->Settings->Paths tab as seen in the screenshots below. Here, /var/www/html/cacti/include/config.php file is chosen as example.

image

image

image

PoC

  • Change the Poller Standard Error Log Path from either installation step 5 or from Configuration->Settings->Paths tab to /etc/passwd.
  • Go to Logs tab and select the passwd file.

Impact

It allows users with the privilege to change Poller Standard Error Log Path to view sensitive files on the server.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

CVE ID

CVE-2024-45598

Weaknesses

No CWEs

Credits