Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

some vulns found in cacti 1.1.15 #877

Closed
kevinoclam opened this issue Jul 26, 2017 · 6 comments
Closed

some vulns found in cacti 1.1.15 #877

kevinoclam opened this issue Jul 26, 2017 · 6 comments

Comments

@kevinoclam
Copy link

kevinoclam commented Jul 26, 2017

I found some vulns in cacti 1.1.15

the uncorrected fix to isue847(CVE-2017-11163)
another xss vuln
a path travel vuln
a code exec vuln

XSS
./lib/html_form.php
line 1153
$cancel_action = "<input type='button' onClick='cactiReturnTo(\"" . htmlspecialchars($cancel_url) . "\")' value='" . $calt . "'>";
well, htmlspecialchars() do not filte ' in default
http://php.net/manual/en/function.htmlspecialchars.php
you should use htmlspecialchars($cancel_url, ENT_QUOTES)
this cause the fix to issue847(CVE-2017-11163) didn't work well
and the fix to issue#867 maybe also use htmlspecialchars($_SESSION['profile_referer'],ENT_QUOTES)
and it can be also works at ./graphs_new.php
the request
default
the xss code works
default

path travel
./utilities.php
line 868
$logfile = read_config_option('path_cactilog');
well, the para 'path_cactilog' can be edit at setting~path page, so authenticated user can change the path of log file to get any file on the server, for example /etc/passwd
edit path at setting page
default
get the content of /etc/passwd at log_view
default

code exec
./spikekill.php
line 66~73
$results .= shell_exec(read_config_option('path_php_binary') . ' -q ' . $config['base_path'] . '/cli/removespikes.php ' . ' -R=' . $data_source_path . (isset_request_var('dryrun') ? ' --dryrun' : '') . (isset_request_var('method') ? ' -M=' . get_nfilter_request_var('method'):'') . (isset_request_var('avgnan') ? ' -A=' . get_nfilter_request_var('avgnan'):'') . (isset_request_var('outlier-start') ? ' --outlier-start=' . get_nfilter_request_var('outlier-start'):'') . (isset_request_var('outlier-end') ? ' --outlier-end=' . get_nfilter_request_var('outlier-end'):'') . ' -U=' . $_SESSION['sess_user_id'] . ' --html');

the para path_php_binary is also can be edit by a authorized user , just like the path of the log,
so just put this para into shell_exec() can cause a code exec vuln
edit path_php_binary at setting, as well as other para
default
send the request to ./spikekill.php
default
find the 123.txt file at /tmp/
default

an unauthorized attack can use a Social Engineering way to use the xss vuln and get the cookie of an authorized user, then became an authorized attacker to perform the path travel and code exec

Chen ruiqi
Codesafe Team

@kevinoclam kevinoclam changed the title some vulns found in some vulns found in cacti 1.1.15 Jul 26, 2017
@cigamit
Copy link
Member

cigamit commented Jul 26, 2017

The three issues about an authorized user altering settings to values that do expectedly bad things does not equate to a vuln IMHO. It would be similar to a gun owner placing a loaded gun in their pocket without the safety off and then shooting themselves in the foot five minutes later while the gun was still in their pocket.

So, the html_form.php issue. Yup, good one and the spikekill issue is a potential issue, but not the one you reported which is equivalent to the one above. It's more of a potential shell escaping issue that needs to be reviewed. It may, in the end, not be an issue.

Thanks for keeping us honest.

cigamit added a commit that referenced this issue Jul 26, 2017
Improving resolution to #847 and one additional vulnerability.
@kevinoclam
Copy link
Author

thanks for the quick reply and the fix
and it's a really good example with the gun man
I report all those just because I found them all, and it's my duty to report all to you
Best wishes

@cigamit
Copy link
Member

cigamit commented Jul 27, 2017

We appreciate you efforts. Thanks!

@cigamit cigamit closed this as completed Jul 27, 2017
@kevinoclam
Copy link
Author

well, I found that the patch to issue 867 should also add ENT_QUOTES

@cigamit
Copy link
Member

cigamit commented Jul 29, 2017

That's cleared up too.

@orf53975
Copy link

what a rce ?
just normal function

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants