CVE-2005-2148 in Cacti
Summary
by MITRE
Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/06/2019
The vulnerability described in CVE-2005-2148 represents a critical input validation flaw in Cacti versions 0.8.6e and earlier, which exposes the system to remote command execution and SQL injection attacks. This issue stems from inadequate sanitization of user-supplied input within the web application's request handling mechanisms. The vulnerability specifically targets the get_request_var function, which fails to properly validate and sanitize input parameters, creating a pathway for attackers to manipulate the application's behavior through crafted HTTP requests.
The technical exploitation occurs through a sophisticated manipulation of HTTP request variables where attackers can inject malicious payloads into POST requests or cookies while simultaneously crafting attack strings in the URL. This dual approach creates a scenario where the $_REQUEST variable receives a legitimate value from the POST or cookie data, while the $_GET variable retains the malicious input that was modified in the URL. The get_request_var function returns the wrong value from the $_REQUEST variable, which has been cleansed of the malicious content, while the original malicious $_GET value remains unmodified and unfiltered. This discrepancy allows the application to process the tainted data through functions like graph_image.php and graph.php, where the malicious input can be executed as commands or injected into database queries.
The operational impact of this vulnerability is severe as it enables remote attackers to execute arbitrary system commands on the affected server with the privileges of the web application user. This capability allows attackers to gain full control over the system, potentially leading to data breaches, system compromise, and further lateral movement within the network infrastructure. The vulnerability affects the core graphing functionality of Cacti, which is essential for network monitoring and performance tracking, making it particularly dangerous for organizations that rely on this monitoring infrastructure. Additionally, the SQL injection component of this vulnerability can result in unauthorized data access, data modification, or complete database compromise.
The vulnerability aligns with CWE-20, which describes improper input validation, and represents a classic example of insecure data handling in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 for command and script injection, and T1071.004 for application layer protocol. The attack surface is further expanded by the fact that this vulnerability affects core web application functionality rather than isolated components, making it particularly attractive to threat actors seeking persistent access to network monitoring systems. Organizations should immediately implement mitigations including input validation, output encoding, and proper request parameter handling, while also upgrading to patched versions of Cacti to prevent exploitation of this critical vulnerability that can lead to complete system compromise and unauthorized access to sensitive network monitoring data.