Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
https://github.com/Cacti/cacti/issues/1066 https://github.com/Cacti/cacti/commit/a179e8092dbff7406e39ca16c2823f4fe530f5e0 https://github.com/Cacti/cacti/commit/c0f0ce27f0c281d7e1e57f91891c5ca9a92df013 https://github.com/Cacti/cacti/commit/96d793f33ebf16c0b12e1ec779d7debb87990cdd