Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypass output validation in select cases #1882

Closed
m8sec opened this issue Aug 30, 2018 · 4 comments
Closed

Bypass output validation in select cases #1882

m8sec opened this issue Aug 30, 2018 · 4 comments

Comments

@m8sec
Copy link

m8sec commented Aug 30, 2018

v1.1.38 Stored XSS in user_admin.php

When creating a new user on /cacti/user_admin.php, using the “copy” method, it is possible to bypass user input validation. This allows for the creation of a user called <script>alert(1)</script>.

This username just meets the max characters allowed. However, this restriction can be circumvented to allow for longer usernames/XSS payloads by using a web application proxy and editing the request before it is sent to the server.

screen shot 2018-08-29 at 3 50 39 pm

The stored XSS payload can be executed by clicking in the user’s profile and visiting the “General”, “Permissions”, or “User Settings” tabs.

http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#}&tab=general
http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=realms
http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=settings

unsanitized username1

v1.1.38 Bypass Input Validation in user_group_admin.php

The same vulnerability, of using the “copy” approach to bypass input validation, exists on the user_group_admin.php page. However, I was unable to use the web application proxy trick to extend the field name.

screen shot 2018-08-30 at 8 18 33 am

When trying to go back and delete this, I ran into some issues that required me to manually go into the database and remove the group from the “user_auth_group” table.

screen shot 2018-08-30 at 8 19 06 am

EDIT - As a PoC I was able to use this for htlm injection, by creating the group <h1>test</h1>. However, the code only rendered when going back to delete the account:
screen shot 2018-08-30 at 10 36 58 am

Side-Note: <=0.8.7g Reflected XSS in auth_changepassword.php

I started looking into Cacti after I ran into version 0.8.7g for a customer. There were several reflected xss vulnerabilities after authentication, but I came across this one in auth_changepassword.php that I did not see very well documented (I could be wrong about that).

/auth_changepassword.php?ref=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

screen shot 2018-08-30 at 9 16 52 am
Looking at the code itself I saw a hidden parameter that does not validate user input. This code was modified in the later versions 0.8.7.h+.

-m8r0wn

@cigamit
Copy link
Member

cigamit commented Aug 30, 2018

Wow, that's a shocker. Got it. Thanks for testing!!! Doing a sweep now.

@cigamit cigamit changed the title V1.1.38 Bypass User Input Validation Using the "Copy" Method Bypass output validation in select cases Aug 31, 2018
cigamit added a commit that referenced this issue Aug 31, 2018
Bypass output validation in select cases
@cigamit
Copy link
Member

cigamit commented Aug 31, 2018

Well, that was disturbing. Thanks for the heads up! Need a CVE# on this one.

@m8sec
Copy link
Author

m8sec commented Sep 2, 2018

Hi @cigamit,
No problem, thanks for the quick response! Let me know if you need any more information to resolve the issue.
-m8r0wn

@cigamit
Copy link
Member

cigamit commented Sep 2, 2018

Everything is done now from my perspective. If you find anything else, we can address it in the beta 1.2 release. Thanks for your help identifying this gap.

@cigamit cigamit closed this as completed Sep 7, 2018
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants