Lack of escaping on some pages can lead to XSS exposure

[ddb4github]

Describe the bug

Several XSS Vulnerabilities during XSS testing

To Reproduce

Case#1

1. Go to 'Reporting(reports_admin.php)'
2. Create/Modify a report
3. Add a 'Text' item with Fixed Text <script>alert('test CVE');</script>
4. Click save, and then return to Item list
5. See error, popup alert('test CVE') as below
   
6. Click 'Preview' tab
7. See error again.

Case#2

1. Go to 'Console -> Data Collection -> Data Queries'
2. Select a data query, and click name to edit it
3. Click name of one of Associated Graph Templates
4. Modify name to <script>alert('test CVE');</script>
5. Click Save button, then click Return button
6. Click x icon of row right for the modified one
7. See error, popup alert('test CVE') as below
   

Case#3

data_input.php, delete,click a output/input field with <script>alert('test CVE');</script>

Case#4

graph_templates.php add graph items with a color named <script>alert('test CVE');</script>

Case#5

1. Go to 'Console -> Management`
2. Add a XSS Site with name <script>alert('SiteCore');</script>
3. Add a XSS Device with name: <script>alert('hostname');</script>, description: <script>alert('hostdesc');</script>
4. Access any 'Console -> Management -> Trees`
5. Click any one of tree name
6. See error, popup twice alert('SiteCore'), alert('hostdesc'), alert('hostname').

Case#6

1. Go to 'Console -> Management -> Trees`
2. Crate a tree with name <script>alert('tree');</script>
3. Access 'Console -> Management -> Graphs`
4. Select any one of graph
5. Select Action Place on a Tree <script>alert('tree');</script>
6. Click Go
7. See error, popup alert('tree')

Case#7

1. Edit a graph template, fill name with <script>alert('gtemplatename');</script>
2. Edit or create a report with name <script>alert('rptname');</script>
3. Access Graphs --> List/Tree/Preview mode
4. See error, tree/preview will popup alert('gtemplatename') only. And list mode will popup a extra alert('rptname')

Case#8

1. Edit or create a graph template, fill name with <script>alert('gtemplatename');</script>
2. Associate above graph template to a device
3. Edit above device
4. Click hyperlink Create Graphs for this Device
5. Select above graph template in list
6. Click "Create" button
7. See error

Desktop (please complete the following information)

• OS: Windows 10
• Browser: Firefox
• Version: 68.8 ESR

[TheWitness]

Jing, can you request a CVE#?

[TheWitness]

Case #2 is not repeatable in 1.2.12.

[TheWitness]

Okay, was able to verify issue #2, but issue #5 and #6 you need to provide additional details.

[ddb4github]

Okay, was able to verify issue #2, but issue #5 and #6 you need to provide additional details.

Updated Case#5 and Case#6 for detail steps

[ddb4github]

Jing, can you request a CVE#?

Just request, to be reviewed

[netniV]

Thanks @ddb4github! When I first started seeing these CVE's, it was upsetting as no one likes holes in their code, but at the same time we are very grateful that people are using the product and testing it thoroughly to help find these things 👍

Keep up the good work

[TheWitness]

Okay, all resolved. Thanks Jing.

[ddb4github]

append Case7,8 to Issue Desc area

[yingbaiibm]

Append more cases

Case #9 data_sources.php page with popup exist

1. Add a device with name <script>alert(1);</script>
2. Create graph for the device
3. Go to Data Sources page, click the data source with name <script>alert(1);</script>, pop up exist
   

Case #10 notify_lists.php with popup exist

1. add a notification
2. go to device page, popup exist due to there is device name as <script>alert(1);</script>
   

Case #11 automation_graph_rules.php popup exist on page

1. Go to automation - Graph Rules page
2. Add a rule with name and data query as <script>alert(1);</script> and save it.
3. Click Graph Rules page again, popup exist.
   

Case #12 data_debug.php, edit a datasource with script has popup exist

1. Go to TroubleShooting - Data Sources page
2. Click a datasource name like <script>alert(1);</script>, pop up exist
   

[yingbaiibm]

### Case #13 reports_admin.php, add an item with script, click send now, pop up exist

1. add report name like <script>alert(1);</script>
2. Click the report
3. Click send report, popup windows exist
   
   

### Case #14 click a tree named with script has popup

1. Create a tree name like <script>alert(1);</script>
2. publish the tree
3. Go to graph page, click the tree name, popup exist
   

### Case #3 data_input.php, delete,click a output/input field with script --still failed with the fix

### Case #4 graph_templates.php add graph items with a color named --failed with the fix

1. Go to Present - Colors
2. Add a color named like <script>alert(1);</script>
3. Go to Template -Graph page
4. Add a graph template
5. Click add graph item, popup exist
   
   

[netniV]

Case #9 seems to be directly related to using drop_callback, as when you change the field to a textbox, the XSS doesn't exist.

Case #10 is specific to Thold so should be opened against that repo.

Case #11 is due to the Data Query drop down not being escaped.

Case #12 is due to the title not being escaped on the Were we able to convert the title? line.

Case #13 is due to the title not being escaped in the success/fail messages.

Case #14 is something i was unable to reproduce.

[netniV]

I have sorted 11 through 13, the rest are unresolved or unconfirmed.

[TheWitness]

I've fixed a few more of these. I guess we need to hit a reset button. @yingbaiibm, can you summarize what is still outstanding?

[yingbaiibm]

@TheWitness ok, I will check and summarize the status after we merge the new fix.

[yingbaiibm]

@TheWitness Test using latest cacti code, make a summray like below.
passed retest 10 cases, failed 4 cases, added 5 new cases. see details like below

[yingbaiibm]

passed case: 1, 2, 5, 6, 8, 10, 11, 12, 13, 14

Failed case 3, 4, 7, 9

Case3: click/delete a data output field has popup exist

Case4: graph_templates.php add graph items with a color named
- go to present-color, add a color named with <script>alert('pcolor');</script>
- go to template graph, add a graph, add a graph item, popup exist

case7 go to graphs - list view mode, popup exist for reporting with name <script>alert('xxx');</script>
- Go to Reporting page, add a report name with <script>alert('reporting');</script>
- Go to Graphs - list view mode, popup of reporting exist

Case9 data_sources.php page with popup exist

New founded issue

Case#15 place device on a tree named with <script>alert('tree');</script> has popup exist

Case#16 create graph for a device has popup exist due to data query with script
- create a data query with name <script>alert('data_query');</script>
- Go to device page, add the data_query to the device
- Click create graphs for this device, popup exist

Case#17 go to create graph page, popup exist
- create a data query with name <script>alert('data_query');</script>
- Go to device page, add the data_query to the device
- Go to Create - New graphs page, popup for data_query exist

Case#18 create graph for a device has popup exist for color with script
- go to present-color, add a color named with <script>alert('pcolor');</script>
- Create a graph for device, choose Cisco- CPU Usage Graph template
- Click create, popup for pcolor exist

Case#19 go to graphs - preview mode has popup for graph name with script

[TheWitness]

Okay. Should be all resolved now.

[netniV]

@ddb4github and @yingbaiibm can you confirm?

[yingbaiibm]

@TheWitness @netniV retest using latest code, 2 cases still have problem.

passed 4, 7, 9, 15, 16, 17, 18,

Failed 3, 19

Case#3, click a data output field has popup exist

page source code:

Case#19 Go to graph list view/preview mode has popup exist

[netniV]

Thanks for the feedback, we will look into it again.

[netniV]

I believe that these two should be resolved now. Can you retest for me? Thank you so much for your time and patience.

[yingbaiibm]

@netniV test using your new fix. passed for data_input case.
For graph -preview mode, still has popup exist. please have a check.

[netniV]

I tried to reproduce it and the with my fix I seemed to no longer have the error. Can you give the page/mode you are using?

[ddb4github]

I tried to reproduce it and the with my fix I seemed to no longer have the error. Can you give the page/mode you are using?

Under Preview mode, 'alert' come from Template filter that is generated by function html_graph_preview_filter

[netniV]

Thanks for the PR. Saves me doing the same thing. I think I fixed it under somewhere else.

[TheWitness]

Okay, looks like this is good then. Stored XSS makes peoples lives more interesting I guess.

[TheWitness]

Found one more in lib/import.php.