Headline
CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in graphs_new.php. Several validations are performed, but the returnto parameter is directly passed to form_save_button. In order to bypass this validation, returnto must contain host.php. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Patched versions
1.2.25, 1.3.0
Summary
During the review of this project, a Reflected XSS vulnerability was discovered. An attacker could exploit this vulnerability to execute actions on behalf of other users or potentially take over their accounts.
Details
The vulnerability is found in graphs_new.php. Several validations are performed, but the returnto parameter is directly passed to form_save_button. In order to bypass this validation, returnto must contain host.php.
if (isset($_SERVER[‘HTTP_REFERER’]) && strpos($_SERVER[‘HTTP_REFERER’], ‘graphs_new’) === false) { set_request_var('returnto’, basename($_SERVER[‘HTTP_REFERER’])); }
load\_current\_session\_value('returnto', 'sess\_grn\_returnto', '');
if (strpos(get\_nfilter\_request\_var('returnto'), 'host.php') === false) {
set\_request\_var('returnto', '');
}
form\_save\_button(get\_nfilter\_request\_var('returnto'), 'create');
The form_save_button function handles the returnto parameter as the cancel_url variable. Although the cancel_url variable is escaped with the html_escape function, it is reflected inside the onClick attribute. Since cactiReturnTo is a JavaScript function used for redirection, it’s possible to execute arbitrary scripts by utilizing the javascript:// scheme.
function form_save_button($cancel_url, $force_type = '’, $key_field = 'id’, $ajax = true) { // …
if ($force\_type != 'import' && $force\_type != 'export' && $force\_type != 'save' && $force\_type != 'close' && $cancel\_url != '') {
$cancel\_action = "<input type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo(\\"" . html\_escape($cancel\_url, ENT\_QUOTES) . "\\")' value='" . $calt . "'>";
} else {
$cancel\_action = '';
}
?>
<table style\='width:100%;text-align:center;'\>
<tr\>
<td class\='saveRow'\>
<input type\='hidden' name\='action' value\='save'\>
<?php print $cancel\_action;?>
<input type\='submit' class\='<?php print $force\_type;?> ui-button ui-corner-all ui-widget' id\='submit' value\='<?php print $alt;?>'\>
</td\>
PoC
- Login to Cacti
- Access to “http://IP/cacti/graphs_new.php?returnto=javascript:alert(location.hash.substring(1))//host.php#XSS”
- Click the Cancel button.
Impact
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. The attacker could also potentially take over user accounts completely, undermining the integrity of user interactions within the system.