VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 21, 2023· Updated Feb 25, 2026

Local File Inclusion (RCE) in Cacti

CVE-2023-49084

Description

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the link.php. Impact of the vulnerability execution of arbitrary code on the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

9

Patches

Vulnerability mechanics

Root cause

"Insufficient sanitization of the `contentfile` path from the `external_links` table in `link.php` allows directory traversal, enabling local file inclusion of a log file previously poisoned with PHP code via SQL injection."

Attack vector

An authenticated attacker first exploits a separate SQL injection vulnerability in `pollers.php` to insert a malicious row into the `external_links` table, setting the `contentfile` field to a path like `....//....//....//....//opt/cacti/log/cacti.log` [ref_id=1]. The same SQL injection is then used to poison the Cacti log file by injecting PHP code (e.g., `<?php system('id') ?>`) via an error-based technique [ref_id=1]. Finally, the attacker enables the "External Link Permissions" for their user in the Cacti UI, which causes `link.php` to include the poisoned log file, executing the injected PHP code on the server [ref_id=1].

Affected code

The vulnerable component is `link.php`. The advisory states that line 27 reads from the `external_links` table, line 56 checks permissions, line 79 forms the file path, line 81 checks existence, and line 82 includes the file [ref_id=1]. The path construction on line 79 does not adequately sanitize the `contentfile` value retrieved from the database, allowing directory traversal sequences such as `....//` to bypass the sanitization check shown in Figure 3 [ref_id=1].

What the fix does

The advisory recommends improving data escaping to prevent Local File Inclusion [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not visible. The mitigation should ensure that the `contentfile` value retrieved from the database is properly sanitized to block directory traversal sequences (such as `....//`) before being used in a file include operation in `link.php` [ref_id=1].

Preconditions

  • authAttacker must be an authenticated user of Cacti
  • inputAttacker must be able to exploit a SQL injection vulnerability in pollers.php to write to the external_links table
  • configAttacker must have the ability to enable 'External Link Permissions' for their user account via the Cacti UI

Reproduction

1. As an authenticated user, send a POST request to `/cacti/pollers.php?header=false` with a SQL injection payload in the `dbhost` parameter to insert a row into `external_links` with `contentfile` set to `....//....//....//....//opt/cacti/log/cacti.log` [ref_id=1]. 2. Send another POST request to the same endpoint with an error-based SQL injection payload in `dbhost` to inject PHP code (e.g., `<?php system('id') ?>`) into `/opt/cacti/log/cacti.log` [ref_id=1]. 3. In the Cacti UI, navigate to Configuration → Users → User → Permissions → External Link Permissions and enable the permission for the attacker's user [ref_id=1]. 4. Click the "Test" menu item that appears; the poisoned log file is included and the PHP code executes, displaying the output of the `id` command [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.