Reflected XSS in 1.1.27

[cibvetr2]

We (worlak2 and cibvetr2) found Reflected XSS vuln in last version 1.1.27.(For example we found in Google host with last version of cacti)
PoC
1)http://128.65.97.6/host.php/gahv8'-alert(document.domain)-'w6vt7??host_status=-1&host_template_id=-1&site_id=-1&poller_id=-1&rows=-1&filter=&

With regards worlak2 and cibvetr2

[cigamit]

Can you please confirm this against the current develop branch? I can not reproduce using your example.

I actually receive a permission denied message.

[cibvetr2]

Yes we tested this on local version
1)If you not login

2) If you login

we use version from https://www.cacti.net/downloads/cacti-latest.zip

[carnil]

This issue was assigned CVE-2017-16785

[cigamit]

I don't believe you understood me correctly. Please test with the latest develop branch. I believe this problem has already been solved and is a duplicate of another issue that was resolved recently and finally in this issue e219199.

Therefore, I will mark unable to reproduce until you are able to attempt to reproduce with the latest develop branch. If you find you can not reproduce, we can make it closed and update the change record since we have the CVE to deal with. Please advise.

[worlak2]

We thought that the latest version. 1.1.27 and it's on github 1.1.28 and the site is still old
Therefore, the problem is fixed in 1.1.28. Please update the information on the website

[ronytomen]

1.1.28 has not been released and that is why it does not appear as a download. It's under active development.

1.2.x is a feature branch for later release.

[cigamit]

We are enhancing the fix to the issue linked below in 1.1.28. Also, per ronytomen, I don't believe you understood me correctly. Please test with the latest develop branch. I believe this problem has already been solved and is a duplicate of another issue that was resolved recently and finally in this issue e219199.

Therefore, I will mark unable to reproduce until you are able to attempt to reproduce with the latest develop branch. If you find you can not reproduce, we can make it closed and update the change record since we have the CVE to deal with. Please advise.

[cibvetr2]

yes in 1.1.28 it's problem fixed

[cigamit]

Thanks for confirming. Marking resolved in changelog and closing.

[paulgevers]

I think this is a duplicate of CVE-2017-15194 / issue #1010, or if not, one could consider this a reintroduction of it in commit 054aa82, as discussed in the comments there.