CVE-2017-16660 in Cacti
Summary
by MITRE
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/06/2023
The vulnerability CVE-2017-16660 represents a critical remote code execution flaw in Cacti version 1.1.27 that specifically targets authenticated administrator accounts. This vulnerability stems from improper input validation and sanitization within the remote_agent.php script, which processes client requests through the Client-ip header parameter. The flaw becomes exploitable when the Log Path configuration is improperly positioned within the web root directory structure, creating a dangerous attack vector that allows malicious actors to execute arbitrary PHP code on the affected system.
The technical implementation of this vulnerability involves the manipulation of HTTP headers, specifically the Client-ip header, which is processed by the remote_agent.php script without adequate sanitization. When an authenticated administrator makes a request to this endpoint with malicious PHP code embedded in the Client-ip header, the application fails to properly validate or escape the input before processing it. This creates a classic command injection scenario where the attacker can inject and execute arbitrary code on the server, effectively bypassing normal authentication mechanisms and gaining full administrative control over the Cacti installation.
From an operational impact perspective, this vulnerability poses severe risks to network monitoring infrastructure that relies on Cacti for system monitoring and data collection. The attack requires only authenticated administrator access, which is often considered a trusted level of access within network environments, making the exploitation more likely in scenarios where administrative credentials are compromised through phishing, credential theft, or other social engineering attacks. Once exploited, attackers can execute arbitrary commands with the privileges of the web server process, potentially leading to complete system compromise, data exfiltration, and further lateral movement within the network.
The vulnerability aligns with CWE-94, which describes improper validation of dangerous or unexpected inputs that leads to code injection attacks. This weakness is further categorized under the MITRE ATT&CK framework as part of the Execution tactic, specifically targeting the T1059.007 technique for PowerShell and .NET execution, although in this case it involves PHP code execution. Organizations should implement immediate mitigations including proper log path configuration outside the web root, input validation and sanitization of all HTTP headers, and regular security updates to prevent exploitation. The recommended defense-in-depth strategies include network segmentation, monitoring for suspicious header values, and implementing web application firewalls to detect and block malicious requests containing PHP code patterns in HTTP headers.