Cacti SQL Injection vulnerability

An authenticated attacker sends a POST request to `pollers.php?header=false` with `action=save` and a crafted `dbhost` parameter containing SQL injection payloads. The advisory demonstrates a payload using `"; select sleep(5); select * from poller where 1=1 and "%"="` which causes a 5-second database delay, confirming successful injection [ref_id=1]. The vulnerability supports multi-query execution, allowing an attacker to run multiple arbitrary SQL statements in a single request [ref_id=1].

The vulnerability resides in `pollers.php`. The `form_save` action (line 321) calls `poller_host_duplicate` and passes the unsanitized `get_nfilter_request_var('dbhost')` value as the second parameter. Inside `poller_host_duplicate` (line 427), this attacker-controlled `$host` variable is used directly in a SQL query without escaping, enabling SQL injection [ref_id=1].

As of the time of publication, no patch exists [ref_id=1]. The advisory recommends improving user data escaping to prevent SQL injection as the general mitigation strategy [ref_id=1]. Without a code fix, the `dbhost` parameter remains unsanitized and directly interpolated into SQL queries in the `poller_host_duplicate` function.

Send a POST request to `/cacti/pollers.php?header=false` with `Content-Type: application/x-www-form-urlencoded` and a body containing `action=save` and a `dbhost` parameter with a SQL injection payload such as `"; select sleep(5); select * from poller where 1=1 and "%"="`. The advisory shows the full HTTP request in Listing 1, including required cookies like `__csrf_magic` and the `Cacti` session cookie [ref_id=1]. A response delay of 5+ seconds confirms successful injection.