Cacti RCE vulnerability by file include in lib/plugin.php

An authenticated attacker first exploits a separate SQL injection vulnerability (e.g., in `automation_tree_rules.php` [ref_id=2]) to insert a malicious payload into the `plugin_hooks` or `external_links` table. The payload sets a path traversal string (e.g., `....//....//....//....//opt/cacti/log/cacti.log`) as the file to include [ref_id=1]. The attacker then poisons the Cacti log file with PHP code via error-based SQL injection [ref_id=1]. Finally, by triggering the vulnerable include path (e.g., clicking a crafted external link or invoking the plugin hook), the poisoned log file is included and the PHP code executes, achieving remote code execution [ref_id=1][ref_id=3].

The vulnerability resides in `lib/plugin.php` within the `api_plugin_hook()` function. This function reads data from the `plugin_hooks` and `plugin_config` database tables and directly concatenates it into a file path used for inclusion, without proper sanitization [ref_id=3]. Additionally, `link.php` (line 79–82) constructs a file path from the `external_links.contentfile` column and includes it without adequate validation [ref_id=1].

The patch in version 1.2.27 improves data escaping to prevent local file inclusion [ref_id=1]. Specifically, it sanitizes the file path constructed from database values before inclusion, blocking path traversal sequences. Combined with proper escaping of SQL inputs, this closes both the injection vector and the subsequent file inclusion, preventing an attacker from including arbitrary files (such as a poisoned log) and executing code.