Skip to content

Cross-Site Scripting vulnerability when creating new graphs

Moderate
netniV published GHSA-gx8c-xvjh-9qh4 Sep 5, 2023

Package

Cacti

Affected versions

1.2.24

Patched versions

1.2.25, 1.3.0

Description

Summary

During the review of this project, a Reflected XSS vulnerability was discovered. An attacker could exploit this vulnerability to execute actions on behalf of other users or potentially take over their accounts.

Details

The vulnerability is found in graphs_new.php. Several validations are performed, but the returnto parameter is directly passed to form_save_button. In order to bypass this validation, returnto must contain host.php.

if (isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'graphs_new') === false) {
		set_request_var('returnto', basename($_SERVER['HTTP_REFERER']));
	}

	load_current_session_value('returnto', 'sess_grn_returnto', '');

	if (strpos(get_nfilter_request_var('returnto'), 'host.php') === false) {
		set_request_var('returnto', '');
	}

	form_save_button(get_nfilter_request_var('returnto'), 'create');

The form_save_button function handles the returnto parameter as the cancel_url variable. Although the cancel_url variable is escaped with the html_escape function, it is reflected inside the onClick attribute. Since cactiReturnTo is a JavaScript function used for redirection, it's possible to execute arbitrary scripts by utilizing the javascript:// scheme.

function form_save_button($cancel_url, $force_type = '', $key_field = 'id', $ajax = true) {
	// ...

	if ($force_type != 'import' && $force_type != 'export' && $force_type != 'save' && $force_type != 'close' && $cancel_url != '') {
		$cancel_action = "<input type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo(\"" . html_escape($cancel_url, ENT_QUOTES) . "\")' value='" . $calt . "'>";
	} else {
		$cancel_action = '';
	}

	?>
	<table style='width:100%;text-align:center;'>
		<tr>
			<td class='saveRow'>
				<input type='hidden' name='action' value='save'>
				<?php print $cancel_action;?>
				<input type='submit' class='<?php print $force_type;?> ui-button ui-corner-all ui-widget' id='submit' value='<?php print $alt;?>'>
			</td>

PoC

  1. Login to Cacti
  2. Access to "http://IP/cacti/graphs_new.php?returnto=javascript:alert(location.hash.substring(1))//host.php#XSS"
  3. Click the Cancel button.
    poc

Impact

An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. The attacker could also potentially take over user accounts completely, undermining the integrity of user interactions within the system.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2023-39360

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits