-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bypass output validation in select cases #1882
Comments
|
Wow, that's a shocker. Got it. Thanks for testing!!! Doing a sweep now. |
Bypass output validation in select cases
|
Well, that was disturbing. Thanks for the heads up! Need a CVE# on this one. |
|
Hi @cigamit, |
|
Everything is done now from my perspective. If you find anything else, we can address it in the beta 1.2 release. Thanks for your help identifying this gap. |
v1.1.38 Stored XSS in user_admin.php
When creating a new user on /cacti/user_admin.php, using the “copy” method, it is possible to bypass user input validation. This allows for the creation of a user called
<script>alert(1)</script>.This username just meets the max characters allowed. However, this restriction can be circumvented to allow for longer usernames/XSS payloads by using a web application proxy and editing the request before it is sent to the server.
The stored XSS payload can be executed by clicking in the user’s profile and visiting the “General”, “Permissions”, or “User Settings” tabs.
v1.1.38 Bypass Input Validation in user_group_admin.php
The same vulnerability, of using the “copy” approach to bypass input validation, exists on the user_group_admin.php page. However, I was unable to use the web application proxy trick to extend the field name.
When trying to go back and delete this, I ran into some issues that required me to manually go into the database and remove the group from the “user_auth_group” table.
EDIT - As a PoC I was able to use this for htlm injection, by creating the group

<h1>test</h1>. However, the code only rendered when going back to delete the account:Side-Note: <=0.8.7g Reflected XSS in auth_changepassword.php
I started looking into Cacti after I ran into version 0.8.7g for a customer. There were several reflected xss vulnerabilities after authentication, but I came across this one in auth_changepassword.php that I did not see very well documented (I could be wrong about that).
Looking at the code itself I saw a hidden parameter that does not validate user input. This code was modified in the later versions 0.8.7.h+.
-m8r0wn
The text was updated successfully, but these errors were encountered: