CVE-2017-16661 in Cacti
Summary
by MITRE
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2023
This vulnerability exists in Cacti version 1.1.27 and represents a critical path traversal flaw that allows authenticated administrators to access arbitrary files on the system. The vulnerability stems from improper input validation in the clog.php script which fails to adequately sanitize the filename parameter before using it to construct file paths. When an administrator with appropriate privileges makes a request to clog.php with a filename parameter pointing to a file in the log path directory, the application does not properly validate or restrict the file access, enabling unauthorized reading of system files.
The technical implementation of this vulnerability exploits the application's handling of log file paths and the lack of proper access controls when processing user-supplied input. The flaw specifically occurs when the Log Path configuration is set to a private directory such as /etc, and an attacker crafts a malicious request to clog.php with a filename parameter that points to sensitive system files. The vulnerability is classified under CWE-22 as "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", which is a well-known weakness that allows attackers to access files outside of the intended directory scope.
The operational impact of this vulnerability is severe as it allows authenticated users to bypass normal file access controls and read sensitive system information. An attacker who has administrative access to the Cacti system can leverage this vulnerability to extract system configuration files, password hashes, or other sensitive data that could be used for further exploitation. The demonstration using /etc/passwd shows that attackers can gain access to critical system information that would normally be restricted. This vulnerability essentially provides a backdoor mechanism for information disclosure that could lead to privilege escalation or further system compromise.
The attack vector requires that the attacker already possess administrative credentials, but the vulnerability significantly expands the damage potential of compromised accounts. From an ATT&CK perspective, this vulnerability maps to T1083 (File and Directory Discovery) and T1005 (Data from Local System) as it enables the discovery and extraction of sensitive files from the target system. Organizations using Cacti should immediately apply the vendor-provided patches or upgrade to versions that address this path traversal vulnerability. The recommended mitigation includes implementing proper input validation, sanitization of user-supplied parameters, and ensuring that file access is properly restricted to prevent arbitrary file reading through the clog.php interface. Additionally, implementing least privilege principles for administrative accounts and monitoring for unusual file access patterns can help detect exploitation attempts.