Findings (validated by xAI Grok security review)
1. RLIKE SQL Injection (HIGH)
hmib_types.php:395-396: DB-sourced values $known['sysObjectID'] and $known['sysDescrMatch'] are concatenated raw into RLIKE SQL clauses without db_qstr() escaping.
2. exec() command execution (HIGH)
poller_graphs.php:316,319,448: exec/shell_exec with constructed command stringssnmp.php:139,252: exec with SNMP path and hostname parameters (partially escaped with cacti_escapeshellarg)
Recommended fixes
- Wrap RLIKE values with db_qstr()
- Audit all exec() paths for complete input escaping
Findings (validated by xAI Grok security review)
1. RLIKE SQL Injection (HIGH)
hmib_types.php:395-396: DB-sourced values$known['sysObjectID']and$known['sysDescrMatch']are concatenated raw into RLIKE SQL clauses without db_qstr() escaping.2. exec() command execution (HIGH)
poller_graphs.php:316,319,448: exec/shell_exec with constructed command stringssnmp.php:139,252: exec with SNMP path and hostname parameters (partially escaped with cacti_escapeshellarg)Recommended fixes