Stored XSS in Cacti v1.1.38September 02, 2018
A few weeks ago I ran into an older version of the Cacti network graphing solution, which led me down the path of researching the application. This revealed some interesting vulnerabilities, discussed in this post, that I have disclosed on the Cacti issues page.
v1.1.38 Stored XSS in user_admin.phpWhen creating a new user on /cacti/user_admin.php, using the “copy” method, it is possible to bypass user input validation. The application allows for the creation of a user called "<script>alert(1)</script>". This username just meets the max characters allowed. However, this restriction can be circumvented to allow for longer usernames/XSS payloads by using a web application proxy and editing the request before it is sent to the server.
The stored XSS payload can then be executed by clicking in the user’s profile and visiting the “General”, “Permissions”, or “User Settings” tabs:
http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#}&tab=general http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=realms http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=settings
v1.1.38 Bypass Input Validation in user_group_admin.phpThe same vulnerability, of using the “copy” approach to bypass input validation, exists on the user_group_admin.php page. However, I was unable to use the web application proxy trick to extend the field name.
When trying to go back and delete this, I ran into some issues that required me to manually go into the database and remove the group from the “user_auth_group” table.
As a PoC, I was able to use this for a short HTML injection by creating the group "<h1>test</h1>". However, the code only rendered when going back to delete the account:
Bonus: Cacti <=0.8.7g Reflected XSS in auth_changepassword.phpI started looking into Cacti after I ran into version 0.8.7g for a client. There were several reflected XSS vulnerabilities, but I came across this one in auth_changepassword.php that I did not see very well documented:
Looking at the code itself, I saw a hidden parameter that does not validate user input allowing the XSS condition. This code was modified in the later versions 0.8.7.h+.