Headline
CVE-2023-39364: Open redirect in change password functionality
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The auth_changepassword.php
file accepts ref
as a URL parameter and reflects it in the form used to perform the change password. It’s value is used to perform a redirect via header
PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Summary
In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL.
Details
The auth_changepassword.php file accepts ref as a URL parameter and reflects it in the form used to perform the change password. It’s value is used to perform a redirect via header PHP function.
// ...
/\* ok, at the point the user has been successfully authenticated; so we must decide what to do next \*/
/\* if no console permissions show graphs otherwise, pay attention to user setting \*/
$realm\_id = $user\_auth\_realm\_filenames\['index.php'\];
$has\_console = db\_fetch\_cell\_prepared('SELECT realm\_id
FROM user\_auth\_realm
WHERE user\_id = ? AND realm\_id = ?',
array($user\_id, $realm\_id));
if (basename(get\_nfilter\_request\_var('ref')) == 'auth\_changepassword.php' || basename(get\_nfilter\_request\_var('ref')) == '') {
if ($has\_console) {
set\_request\_var('ref', 'index.php');
} else {
set\_request\_var('ref', 'graph\_view.php');
}
}
if (!empty($has\_console)) {
switch ($user\['login\_opts'\]) {
case '1': /\* referer \*/
header('Location: ' . sanitize\_uri(get\_nfilter\_request\_var('ref'))); break;
case '2': /\* default console page \*/
header('Location: index.php'); break;
case '3': /\* default graph page \*/
header('Location: graph\_view.php'); break;
default:
api\_plugin\_hook\_function('login\_options\_navigate', $user\['login\_opts'\]);
}
} else {
header('Location: graph\_view.php');
}
exit;
// ...
<body class=’loginBody’> <div class=’loginLeft’></div> <div class=’loginCenter’> <div class=’loginArea’> <div class=’cactiLogoutLogo’></div> <legend><?php print __(‘Change Password’);?></legend> <form name=’login’ method=’post’ action=’<?php print get_current_page();?>’> <input type=’hidden’ name=’action’ value=’changepassword’> <input type=’hidden’ name=’ref’ value=’<?php print html_escape(get_request_var(‘ref’)); ?>’>
// …
Two functions are involved after the POST, but:
- The sanitize_uri function, defined into functions.php, only cleans up a URI in case of XSS attack.
- The get_nfilter_request_var function, defined into html_utility.php, returns the value of the request variable deferring any filtering.
No checks are performed to understand if ref is an internal URL or not.
An arbitrary value of ref is sufficient to bypass the first if clause.
To reach the sink in the second if clause, two conditions must be true:
- The user has "Console Access" in its "Permissions", i.e. !empty($has_console).
- The "Login Options" ($user[‘login_opts’]) of the user are set to "Show the page that user pointed their browser to." (case ‘1’), but this is the default behavior as can be verified in the cacti.sql file.
– …
CREATE TABLE user_auth ( – … `login_opts` tinyint(3) unsigned NOT NULL default '1’, – …
PoC
Prerequisites:
- The target user has "Console Access" in its "Permissions".
- The "Login Options" of the target user are set to "Show the page that user pointed their browser to.".
- Target user is tricked in performing the change password.
Exploit:
Send to the target user a link like the following.
https://<cacti_installation>/auth_changepassword.php?ref=https://<malicious_website>
After the change password operation, the browser will be redirected to the malicious website.
Impact
A naive user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc.
Related news
Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.