-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some vulns found in cacti 1.1.15 #877
Comments
|
The three issues about an authorized user altering settings to values that do expectedly bad things does not equate to a vuln IMHO. It would be similar to a gun owner placing a loaded gun in their pocket without the safety off and then shooting themselves in the foot five minutes later while the gun was still in their pocket. So, the html_form.php issue. Yup, good one and the spikekill issue is a potential issue, but not the one you reported which is equivalent to the one above. It's more of a potential shell escaping issue that needs to be reviewed. It may, in the end, not be an issue. Thanks for keeping us honest. |
Improving resolution to #847 and one additional vulnerability.
|
thanks for the quick reply and the fix |
|
We appreciate you efforts. Thanks! |
|
well, I found that the patch to issue 867 should also add ENT_QUOTES |
|
That's cleared up too. |
|
what a rce ? |
I found some vulns in cacti 1.1.15
the uncorrected fix to isue847(CVE-2017-11163)
another xss vuln
a path travel vuln
a code exec vuln
XSS


./lib/html_form.php
line 1153
$cancel_action = "<input type='button' onClick='cactiReturnTo(\"" . htmlspecialchars($cancel_url) . "\")' value='" . $calt . "'>";well, htmlspecialchars() do not filte ' in default
http://php.net/manual/en/function.htmlspecialchars.php
you should use htmlspecialchars($cancel_url, ENT_QUOTES)
this cause the fix to issue847(CVE-2017-11163) didn't work well
and the fix to issue#867 maybe also use htmlspecialchars($_SESSION['profile_referer'],ENT_QUOTES)
and it can be also works at ./graphs_new.php
the request
the xss code works
path travel


./utilities.php
line 868
$logfile = read_config_option('path_cactilog');well, the para 'path_cactilog' can be edit at setting~path page, so authenticated user can change the path of log file to get any file on the server, for example /etc/passwd
edit path at setting page
get the content of /etc/passwd at log_view
code exec
./spikekill.php
line 66~73
$results .= shell_exec(read_config_option('path_php_binary') . ' -q ' . $config['base_path'] . '/cli/removespikes.php ' . ' -R=' . $data_source_path . (isset_request_var('dryrun') ? ' --dryrun' : '') . (isset_request_var('method') ? ' -M=' . get_nfilter_request_var('method'):'') . (isset_request_var('avgnan') ? ' -A=' . get_nfilter_request_var('avgnan'):'') . (isset_request_var('outlier-start') ? ' --outlier-start=' . get_nfilter_request_var('outlier-start'):'') . (isset_request_var('outlier-end') ? ' --outlier-end=' . get_nfilter_request_var('outlier-end'):'') . ' -U=' . $_SESSION['sess_user_id'] . ' --html');the para path_php_binary is also can be edit by a authorized user , just like the path of the log,



so just put this para into shell_exec() can cause a code exec vuln
edit path_php_binary at setting, as well as other para
send the request to ./spikekill.php
find the 123.txt file at /tmp/
an unauthorized attack can use a Social Engineering way to use the xss vuln and get the cookie of an authorized user, then became an authorized attacker to perform the path travel and code exec
Chen ruiqi
Codesafe Team
The text was updated successfully, but these errors were encountered: