Headline
CVE-2022-41444: XSS vulnerability in Cacti
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.
XSS vulnerability in Cacti https://github.com/Cacti/cacti version v1.2.21
The path of the vulnerability. In file https://github.com/Cacti/cacti/blob/develop/graphs_new.php
//line 40 switch (get_request_var(‘action’)) { case 'save’: form_save();
//line 117 the source in $_POST function form_save() { if (isset_request_var(‘save_component_graph’)) { /* summarize the ‘create graph from host template/snmp index’ stuff into an array */ foreach ($_POST as $var => $val) { //…… if (strpos($var, ‘sgg_’) !== false) { // Note: the source in $snmp_query_id then function store_get_selected_dq_index will be called $snmp_query_id = str_replace('sgg_’, '’, $var); store_get_selected_dq_index($snmp_query_id); } } //……. } // line 100 Note the source in $snmp_query_id function store_get_selected_dq_index($snmp_query_id) { // …. } elseif (isset_request_var(‘sgg_’ . $snmp_query_id)) { // Note: get_filter_request_var will be called $selected = get_filter_request_var(‘sgg_’ . $snmp_query_id); } //…. }
In file https://github.com/Cacti/cacti/blob/develop/lib/html_utility.php
//line 424 // the source in the argument $name function get_filter_request_var($name, $filter = FILTER_VALIDATE_INT, $options = array()) { //…. //line 503 if ($value === false) { if ($filter == FILTER_VALIDATE_IS_REGEX) { //…. } else { // Note: function die_html_input_error will be called die_html_input_error($name, get_nfilter_request_var($name)); } }
In file https://github.com/Cacti/cacti/blob/develop/lib/html_validate.php
//line 47 // Note: the source in $variable function die_html_input_error($variable = '’, $value = '’, $message = ‘’) { //….
if ($message == '') {
// Note: the $message will include the $variable as I will explain later, then it will be printed
$message = \_\_('Validation error for variable %s with a value of %s. See backtrace below for more details.', $variable, $value);
}
//Note: the print of the $message
$variable = ($variable != '' ? ', Variable:' . $variable : '');
$value = ($value != '' ? ', Value:' . $value : '');
if (defined('CACTI\_CLI\_ONLY')) {
cacti\_debug\_backtrace('Validation Error' . $variable . $value, false);
print $message . PHP\_EOL;
exit(1);
} elseif (isset\_request\_var('json')) {
cacti\_debug\_backtrace('Validation Error' . $variable . $value, false);
print json\_encode(
array(
'status' => '500',
'statusText' => \_\_('Validation Error'),
'responseText' => $message
)
);
} else {
cacti\_debug\_backtrace('Validation Error' . $variable . $value, true);
print "<table style='width:100%;text-align:center;'><tr><td>$message</td></tr></table>";
bottom\_footer();
}
exit;
} }
In file https://github.com/Cacti/cacti/blob/develop/include/global_languages.php
//line 432 function __() { global $l10n;
$args = func\_get\_args();
$num = func\_num\_args();
//….
else{
$args\[0\] = \_\_gettext($args\[0\]);
}
/\* process return string against input arguments \*/
return \_\_uf(call\_user\_func\_array('sprintf', $args));
}
}
//line 393 function __gettext($text, $domain = ‘cacti’) { //….
if (!isset($translated)) {
$translated = $text;
}
//…..
return \_\_uf($translated);
}
//line 428 function __uf($text) { return str_replace('%%’, '%’, $text); }
The vulnerability is confirmed by the developers. The email sent on 18/06/2022.