Summary
A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv option of PHP is On.
Details
In
|
$cactiphp = proc_open(read_config_option('path_php_binary') . ' -q ' . CACTI_PATH_BASE . '/script_server.php realtime ' . $poller_id, $cactides, $pipes); |
, the
$poller_id used as part of the command execution is sourced from
$_SERVER['argv'], which can be controlled by URL when
register_argc_argv option of PHP is
On. And this option is
On by default in many environments such as
the main PHP Docker image for PHP.
PoC
http://localhost/cacti/cmd_realtime.php?1+1&&calc.exe+1+1+1
LioTree Reporter
Summary
A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when
register_argc_argvoption of PHP isOn.Details
In
cacti/cmd_realtime.php
Line 119 in 5017129
$poller_idused as part of the command execution is sourced from$_SERVER['argv'], which can be controlled by URL whenregister_argc_argvoption of PHP isOn. And this option isOnby default in many environments such as the main PHP Docker image for PHP.PoC