Skip to content

Open redirect in change password functionality

Low
netniV published GHSA-4pjv-rmrp-r59x Sep 5, 2023

Package

Cacti

Affected versions

1.2.24

Patched versions

None

Description

Summary

In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL.

Details

The auth_changepassword.php file accepts ref as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via header PHP function.

		// ...

		/* ok, at the point the user has been successfully authenticated; so we must decide what to do next */

		/* if no console permissions show graphs otherwise, pay attention to user setting */
		$realm_id    = $user_auth_realm_filenames['index.php'];
		$has_console = db_fetch_cell_prepared('SELECT realm_id
			FROM user_auth_realm
			WHERE user_id = ? AND realm_id = ?',
			array($user_id, $realm_id));

		if (basename(get_nfilter_request_var('ref')) == 'auth_changepassword.php' || basename(get_nfilter_request_var('ref')) == '') {
			if ($has_console) {
				set_request_var('ref', 'index.php');
			} else {
				set_request_var('ref', 'graph_view.php');
			}
		}

		if (!empty($has_console)) {
			switch ($user['login_opts']) {
				case '1': /* referer */
					header('Location: ' . sanitize_uri(get_nfilter_request_var('ref'))); break;
				case '2': /* default console page */
					header('Location: index.php'); break;
				case '3': /* default graph page */
					header('Location: graph_view.php'); break;
				default:
					api_plugin_hook_function('login_options_navigate', $user['login_opts']);
			}
		} else {
			header('Location: graph_view.php');
		}
		exit;

		// ...

<body class='loginBody'>
	<div class='loginLeft'></div>
	<div class='loginCenter'>
		<div class='loginArea'>
			<div class='cactiLogoutLogo'></div>
			<legend><?php print __('Change Password');?></legend>
			<form name='login' method='post' action='<?php print get_current_page();?>'>
				<input type='hidden' name='action' value='changepassword'>
				<input type='hidden' name='ref' value='<?php print html_escape(get_request_var('ref')); ?>'>

// ...

Two functions are involved after the POST, but:

  • The sanitize_uri function, defined into functions.php, only cleans up a URI in case of XSS attack.
  • The get_nfilter_request_var function, defined into html_utility.php, returns the value of the request variable deferring any filtering.

No checks are performed to understand if ref is an internal URL or not.

An arbitrary value of ref is sufficient to bypass the first if clause.

To reach the sink in the second if clause, two conditions must be true:

  1. The user has "Console Access" in its "Permissions", i.e. !empty($has_console).
  2. The "Login Options" ($user['login_opts']) of the user are set to "Show the page that user pointed their browser to." (case '1'), but this is the default behavior as can be verified in the cacti.sql file.
-- ...

CREATE TABLE user_auth (
-- ...
  `login_opts` tinyint(3) unsigned NOT NULL default '1',
-- ...

PoC

Prerequisites:

  • The target user has "Console Access" in its "Permissions".
  • The "Login Options" of the target user are set to "Show the page that user pointed their browser to.".
  • Target user is tricked in performing the change password.

Exploit:
Send to the target user a link like the following.

https://<cacti_installation>/auth_changepassword.php?ref=https://<malicious_website>

After the change password operation, the browser will be redirected to the malicious website.

Impact

A naive user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-39364

Weaknesses

Credits