Skip to content

Cross-Site Scripting vulnerability when creating new graphs

Moderate
netniV published GHSA-gx8c-xvjh-9qh4 Sep 5, 2023

Package

Cacti

Affected versions

1.2.24

Patched versions

1.2.25, 1.3.0

Description

Summary

During the review of this project, a Reflected XSS vulnerability was discovered. An attacker could exploit this vulnerability to execute actions on behalf of other users or potentially take over their accounts.

Details

The vulnerability is found in graphs_new.php. Several validations are performed, but the returnto parameter is directly passed to form_save_button. In order to bypass this validation, returnto must contain host.php.

if (isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'graphs_new') === false) {
		set_request_var('returnto', basename($_SERVER['HTTP_REFERER']));
	}

	load_current_session_value('returnto', 'sess_grn_returnto', '');

	if (strpos(get_nfilter_request_var('returnto'), 'host.php') === false) {
		set_request_var('returnto', '');
	}

	form_save_button(get_nfilter_request_var('returnto'), 'create');

The form_save_button function handles the returnto parameter as the cancel_url variable. Although the cancel_url variable is escaped with the html_escape function, it is reflected inside the onClick attribute. Since cactiReturnTo is a JavaScript function used for redirection, it's possible to execute arbitrary scripts by utilizing the javascript:// scheme.

function form_save_button($cancel_url, $force_type = '', $key_field = 'id', $ajax = true) {
	// ...

	if ($force_type != 'import' && $force_type != 'export' && $force_type != 'save' && $force_type != 'close' && $cancel_url != '') {
		$cancel_action = "<input type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo(\"" . html_escape($cancel_url, ENT_QUOTES) . "\")' value='" . $calt . "'>";
	} else {
		$cancel_action = '';
	}

	?>
	<table style='width:100%;text-align:center;'>
		<tr>
			<td class='saveRow'>
				<input type='hidden' name='action' value='save'>
				<?php print $cancel_action;?>
				<input type='submit' class='<?php print $force_type;?> ui-button ui-corner-all ui-widget' id='submit' value='<?php print $alt;?>'>
			</td>

PoC

  1. Login to Cacti
  2. Access to "http://IP/cacti/graphs_new.php?returnto=javascript:alert(location.hash.substring(1))//host.php#XSS"
  3. Click the Cancel button.
    poc

Impact

An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. The attacker could also potentially take over user accounts completely, undermining the integrity of user interactions within the system.

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2023-39360

Weaknesses

Credits