The Weathermap Editor Cacti plugin <= v0.97a contains a remote code execution vulnerability due to insufficient user- input validation. The editor allows unauthenticated remote users to create new maps with names that include PHP file extensions and inject PHP code via inserted map node properties. New maps are stored as a configuration file using the specified map name as the filename. This allows the resulting configuration file with a PHP extension being accessed directly to execute the contained PHP code.
- The remote unauthenticated user sends a GET request to create a new map with a name containing a PHP file extension.
- The remote attacker sends a POST request to create a new node on the new map and records the returned node label.
- The remote attacker sends a POST request injecting PHP into the ‘infourl’ property of the new node.
- The remote attacker requests the created map configuration file resulting in the contained PHP code executing.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attack can be mitigated by:
- Virtual patching/WAF rules to filter the exploit requests
- Setting access control restrictions on the editor file itself
- Placing an ‘.htaccess’ file in the ‘weathermap/configs/’ directory to prevent execution of PHP or deny access to files with executable file extensions
- Temporarily disabling the editor by changing the ‘$ENABLED’ value at the top of the ‘editor.php’ file to ‘false’