TABLE OF CONTENTS RaXnet Cacti is a FLOSS (Free/Libre/Open-Source Software) tool written solely in PHP. It is a front-end interface for the RRDTool (round robin database tool). All of the data utilized via this tool is saved in a MySQL database that can later be leveraged to create activity-based graphs. More information, downloads, and documentation on Cacti can be found at www.cacti.net.
In June 2005, Alberto Trivero reported a security vulnerability, or software bug, in Cacti that affected all versions prior to 0.8.6-d, due to insufficient sanitizing of user-supplied data specifically, the data that is passed to graph_image.php script. In this finding, a malicious user could execute arbitrary code on the system with the privilege of the Web server, using a specially crafted request. The following Metasploit module code exploits this vulnerability, with the goal of executing a command shell on a vulnerable target system. Think "shellcode."
The Cacti development team quickly released a patch to remedy this vulnerability. However, another flaw was found in the same script file in July 2005. More information on that flaw can be found at www.securityfocus.com/bid/14129/.
You should upgrade to at least version 0.8.6-f if you want to be safe from this flaw.
The following Proof of Concept (PoC) was released when the flaw was disclosed:
<a class="url"> href="http://www.victim.com/cacti/graph_image.php"> target="_top">www.victim.com/cacti/graph_image.php</a>?local_graph_id=[valid_value]&graph_start=%0a[command]%0a
This PoC gets two values from the user:
A valid local_graph_id value; i.e., a valid numerical reference to an existing Cacti graph
A valid command pass to graph_start variable; i.e.,...
