Summary
poller_apcupsd.php:366 concatenates $ups['hostname'] and $ups['port'] from the database directly into a shell command string passed to exec() without escapeshellarg(). A hostname containing ;, |, or backticks causes OS command injection as the poller process user. An admin account is required to write the device record, but a SQL injection elsewhere could bypass that requirement.
Details
| Field |
Value |
| File |
poller_apcupsd.php |
| Line |
366 |
| Auth required |
Yes — Cacti admin to set hostname |
| CWE |
CWE-78 |
// Before
$command = $found_path . 'apcaccess -u -h ' . $ups['hostname'] . ':' . $ups['port'];
exec($command, $output, $return);
// After — via CommandBuilder::buildApcaccessCommand()
// hostname validated: /^[a-zA-Z0-9.\-]{1,253}$/
// port validated: integer 1-65535
// binary path validated against allowlist
// escapeshellarg() applied to all argumentsFix applied in src/Security/CommandBuilder.php, branch security/apcupsd-escapeshellarg-hostname-port.
Acceptance criteria
Summary
poller_apcupsd.php:366concatenates$ups['hostname']and$ups['port']from the database directly into a shell command string passed toexec()withoutescapeshellarg(). A hostname containing;,|, or backticks causes OS command injection as the poller process user. An admin account is required to write the device record, but a SQL injection elsewhere could bypass that requirement.Details
Fix applied in
src/Security/CommandBuilder.php, branchsecurity/apcupsd-escapeshellarg-hostname-port.Acceptance criteria
[a-zA-Z0-9.\-]{1,253}before execescapeshellarg()applied to all shell argumentstests/Security/CommandInjectionRegressionTest.php