Skip to content

SQL Injection vulnerability when request automation devices

Moderate
netniV published GHSA-fh3x-69rr-qqpp Jan 26, 2025

Package

Cacti (PHP)

Affected versions

1.2.28

Patched versions

1.2.29

Description

Summary

A SQL injection vulnerability in get_discovery_results function of automation_devices.php.paramter networkconcat into sql_wherewithout Sufficient filtration.

Discoverer

LoRexxar@Qianxin Tiangong Lab

Details

In automation_devices.php line 416

$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'network_id=' . $network;

The is being concatenated into the SQL statement .
In automation_devices.php line 375

		'network' => array(
			'filter' => FILTER_CALLBACK,
			'pageset' => true,
			'default' => '',
			'options' => array('options' => 'sanitize_search_string')
			),

filter of is FILTER_CALLBACK, that means sanitize_search_string will filter param network
in lib/function.php

function sanitize_search_string($string) {
	static $drop_char_match = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
	static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');

	/* Replace line endings by a space */
	$string = preg_replace('/[\n\r]/is', ' ', $string);

	/* HTML entities like &nbsp; */
	$string = preg_replace('/\b&[a-z]+;\b/', ' ', $string);

	/* Remove URL's */
	$string = preg_replace('/\b[a-z0-9]+:\/\/[a-z0-9\.\-]+(\/[a-z0-9\?\.%_\-\+=&\/]+)?/', ' ', $string);

	/* Filter out strange characters like ^, $, &, change "it's" to "its" */
	for($i = 0; $i < cacti_count($drop_char_match); $i++) {
		$string =  str_replace($drop_char_match[$i], $drop_char_replace[$i], $string);
	}

	return $string;
}

we found sanitize_search_string just filter many Symbol.
However, the parameter network is not enclosed in quotes, so we can directly insert it into the SQL statement for execution.

PoC

automation_devices.php?network=321321%20or%201
set network to 321 or 1means eternal truth condition. you can get all result back
1733388732766

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2024-54145

Weaknesses

No CWEs

Credits