Summary
mikrotik_users.php:63 calls unserialize() on a POST parameter without the ['allowed_classes' => false] option. Any authenticated Cacti user can POST a crafted serialised payload that instantiates arbitrary PHP objects, enabling property-oriented programming (POP) gadget chain execution if suitable classes exist in the autoloader.
The form at line 157 emits the serialised value without a CSRF token, widening the attack surface to cross-site POST from any page the victim visits.
Details
| Field |
Value |
| File |
mikrotik_users.php |
| Line |
63 |
| Auth required |
Yes — authenticated Cacti user |
| CWE |
CWE-502 |
// Before
$selected_items = unserialize(stripslashes(get_request_var('selected_items')));
// After
$selected_items = unserialize(stripslashes(get_request_var('selected_items')), ['allowed_classes' => false]);
if (!is_array($selected_items)) {
$selected_items = [];
}Fix applied in branch security/1-restrict-unserialize-allowed-classes.
Acceptance criteria
Summary
mikrotik_users.php:63callsunserialize()on a POST parameter without the['allowed_classes' => false]option. Any authenticated Cacti user can POST a crafted serialised payload that instantiates arbitrary PHP objects, enabling property-oriented programming (POP) gadget chain execution if suitable classes exist in the autoloader.The form at line 157 emits the serialised value without a CSRF token, widening the attack surface to cross-site POST from any page the victim visits.
Details
Fix applied in branch
security/1-restrict-unserialize-allowed-classes.Acceptance criteria
['allowed_classes' => false]passed to allunserialize()calls on request datatests/Security/ObjectInjectionTest.php