Cacti RCE vulnerability when importing packages

An authenticated user with the 'Import Templates' permission can exploit this vulnerability. The attacker crafts a malicious XML package containing a file with a path traversal sequence in its name and arbitrary PHP code as its content. This package is then uploaded and imported via the 'Package Import' feature. The server-side script processes this XML, writing the malicious PHP file to a location within the Cacti base path, or potentially outside of it, enabling arbitrary code execution when accessed.

The vulnerability resides in the `import_package()` function within the `/lib/import.php` script. Specifically, the code fails to sanitize the `$name` variable derived from the XML data before constructing the full file path using `CACTI_PATH_BASE . "/$name"` and subsequently writing the file content.

The patch introduces a regular expression check, `preg_match('/^(scripts|resource)[a-zA-Z0-9_\-]*$/', dirname($name))`, within the `import_package()` function. This validation ensures that the directory where the file is intended to be written is within the expected 'scripts' or 'resource' subdirectories of the Cacti base path. By rejecting filenames with invalid path components, it prevents path traversal and the writing of arbitrary files to unintended locations, thereby mitigating the arbitrary file write and subsequent RCE vulnerability.

Use the provided PHP script to generate a malicious `test.xml.gz` file. Log in to Cacti with a user having 'Import Templates' permission, navigate to 'Import/Export' -> 'Import Packages', and upload the generated file. The PHP file will be written to the resource directory and can be accessed via `http://[cacti]/resource/test.php` to confirm code execution.