Vulnerabilities > CVE-2005-1526 - Remote File Include vulnerability in RaXnet Cacti Config_Settings.PHP

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

the-cacti-group

nessus

NVD

Published: 2005-06-22

Updated: 2017-07-11

Summary

PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter.

Vulnerable Configurations

Part	Description	Count
Application	The_Cacti_Group THE Cacti Group Cacti 0.5 THE Cacti Group Cacti 0.6 THE Cacti Group Cacti 0.6.1 THE Cacti Group Cacti 0.6.2 THE Cacti Group Cacti 0.6.3 THE Cacti Group Cacti 0.6.4 THE Cacti Group Cacti 0.6.5 THE Cacti Group Cacti 0.6.6 THE Cacti Group Cacti 0.6.7 THE Cacti Group Cacti 0.6.8 THE Cacti Group Cacti 0.6.8A THE Cacti Group Cacti 0.8 THE Cacti Group Cacti 0.8.1 THE Cacti Group Cacti 0.8.2 THE Cacti Group Cacti 0.8.2A THE Cacti Group Cacti 0.8.3 THE Cacti Group Cacti 0.8.3A THE Cacti Group Cacti 0.8.4 THE Cacti Group Cacti 0.8.5A THE Cacti Group Cacti *	20

Nessus

NASL family	CGI abuses
NASL id	CACTI_086E_VCHECK.NASL
description	According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6e. It is, therefore, potentially affected by the following vulnerabilities : - A PHP file inclusion vulnerability exists in
last seen	2020-06-01
modified	2020-06-02
plugin id	81601
published	2015-03-03
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/81601
title	Cacti < 0.8.6e Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(81601); script_version("1.3"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_cve_id("CVE-2005-1524", "CVE-2005-1525", "CVE-2005-1526"); script_bugtraq_id(14027, 14028, 14030, 14042, 14128, 14129); script_name(english:"Cacti < 0.8.6e Multiple Vulnerabilities"); script_summary(english:"Checks the version of Cacti."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.6e. It is, therefore, potentially affected by the following vulnerabilities : - A PHP file inclusion vulnerability exists in 'top_graph_header.php' that allows remote attackers to execute arbitrary PHP code using the 'config[library_path]' parameter. (CVE-2005-1524) - A SQLi vulnerability exists in 'config_settings.php' that allows remote attackers to execute arbitrary SQL commands using the 'id' parameter. (CVE-2005-1525) - A PHP remote file inclusion vulnerability exists in 'config_settings.php' that allows remote attackers to execute arbitrary PHP code using the 'config[include_path]' parameter. (CVE-2005-1526)"); script_set_attribute(attribute:"see_also", value:"http://www.cacti.net/release_notes_0_8_6e.php"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/403174/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade to Cacti 0.8.6e or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Cacti graph_view.php Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/22"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/03"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cacti:cacti"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("cacti_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("installed_sw/cacti", "www/PHP", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = 'cacti'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); install_url = build_url(qs:install['path'], port:port); version = install['version']; ver = split(version, sep:'.', keep:FALSE); if ( int(ver[0]) == 0 && ( int(ver[1]) < 8 \|\| (int(ver[1]) == 8 && ver[2] =~ '^([0-5][a-z]?\|6[a-d]?)$') ) ) { set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : 0.8.6e' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } audit(AUDIT_WEB_APP_NOT_AFFECTED, "Cacti", install_url, version);

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200506-20.NASL
description	The remote host is affected by the vulnerability described in GLSA-200506-20 (Cacti: Several vulnerabilities) Cacti fails to properly sanitize input which can lead to SQL injection, authentication bypass as well as PHP file inclusion. Impact : An attacker could potentially exploit the file inclusion to execute arbitrary code with the permissions of the web server. An attacker could exploit these vulnerabilities to bypass authentication or inject SQL queries to gain information from the database. Only systems with register_globals set to
last seen	2020-06-01
modified	2020-06-02
plugin id	18547
published	2005-06-23
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18547
title	GLSA-200506-20 : Cacti: Several vulnerabilities

NASL family	CGI abuses
NASL id	CACTI_086E.NASL
description	The Cacti application running on the remote web server is affected by a local file inclusion vulnerability due to improperly validating user-supplied input to the
last seen	2020-06-01
modified	2020-06-02
plugin id	18546
published	2005-06-22
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18546
title	Cacti Local File Inclusion Vulnerability

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-764.NASL
description	Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2005-1524 Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-1525 Due to missing input validation cacti allows a remote attacker to insert arbitrary SQL statements. - CAN-2005-1526 Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti. - CAN-2005-2148 Stefan Esser discovered that the update for the above mentioned vulnerabilities does not perform proper input validation to protect against common attacks. - CAN-2005-2149 Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection.
last seen	2020-06-01
modified	2020-06-02
plugin id	19258
published	2005-07-21
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19258
title	Debian DSA-764-1 : cacti - several vulnerabilities

Summary

Vulnerable Configurations

Nessus

References