A SQL injection vulnerability in template function of host_templates.phpparamter graph_templatewithout any filter.
if (get_request_var('graph_template') != '-1') {
$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(gt_id = ' . get_request_var('graph_template') . ')';
$sql_join = "INNER JOIN (
SELECT DISTINCT host_template_id, id AS gt_id
FROM (
SELECT htg.host_template_id, gt.id
FROM graph_templates AS gt
INNER JOIN host_template_graph AS htg
ON htg.graph_template_id = gt.id
UNION
SELECT htsq.host_template_id, gt.id
FROM graph_templates AS gt
INNER JOIN snmp_query_graph AS sqg
ON gt.id = sqg.graph_template_id
INNER JOIN host_template_snmp_query AS htsq
ON sqg.snmp_query_id = htsq.snmp_query_id
) AS rs
) AS htdata
ON htdata.host_template_id = ht.id";
}
The is being concatenated into the SQL statement .
In host_templates.php line 644
'graph_template' => array(
'filter' => FILTER_DEFAULT,
'pageset' => true,
'default' => '-1'
),
filter of is FILTER_DEFAULT, that means param graph_templatewithout any filter.
LoRexxar Reporter
TheWitness Remediation developer
netniV Coordinator
Summary
A SQL injection vulnerability in template function of host_templates.phpparamter graph_templatewithout any filter.
Discoverer
LoRexxar@Qianxin Tiangong Lab
Details
In host_templates.php line 852
The is being concatenated into the SQL statement .
In host_templates.php line 644
filter of is FILTER_DEFAULT, that means param graph_templatewithout any filter.
PoC
http://127.0.0.1/cacti/host_templates.php?graph_template=slepp(1)
set graph_templateinto sql statement.