Created
December 6, 2023 07:12
-
-
Save ISHGARD-2/a6b57de899f977e2af41780e7428b4bf to your computer and use it in GitHub Desktop.
Cacti v1.2.25: Cross-Site Scripting vulnerability when Import xml template file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Summary | |
A reflection XSS vulnerability was discovered. Attackers can exploit this vulnerability to perform actions on behalf of other users. | |
### Details | |
The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. | |
``` | |
$debug_data = import_xml_data($xml_data, $import_as_new, $profile_id, $remove_orphans, $replace_svalues, $import_hashes); | |
if (!$preview_only) { | |
// ... | |
} elseif ($debug_data !== false && cacti_sizeof($debug_data)) { | |
// ... | |
} else { | |
cacti_log(sprintf("ERROR: Import or Preview failed for XML file %s!", $_FILES['import_file']['name']), false, 'IMPORT'); | |
$message_text = ''; | |
if (cacti_sizeof($import_messages)) { | |
foreach($import_messages as $message) { | |
if (isset($messages[$message])) { | |
$message_text .= ($message_text != '' ? '<br>':'') . $messages[$message]['message']; | |
} | |
} | |
} | |
raise_message_javascript(__('Error in Template', 'package'), __('The Template XML file "%s" validation failed', $_FILES['import_file']['name']), __('See the cacti.log for more information, and review the XML file for proper syntax. The error details are shown below.<br><br><b>Errors:</b><br>%s', $message_text)); | |
``` | |
`raise_message_javascript()` function passed an XML file name, which has not been rigorously verified. The variable $header contains the file name. | |
``` | |
function raise_message_javascript($title, $header, $message) { | |
?> | |
<script type='text/javascript'> | |
var mixedReasonTitle = '<?php print $title;?>'; | |
var mixedOnPage = '<?php print $header;?>'; | |
sessionMessage = { | |
message: '<?php print $message;?>', | |
level: MESSAGE_LEVEL_MIXED | |
}; | |
$(function() { | |
displayMessages(); | |
}); | |
</script> | |
<?php | |
exit; | |
} | |
``` | |
### PoC | |
1. Login to Cacti | |
2. Access to "http://ip/cacti/templates_import.php" | |
3. Prepare an empty XML file named `';alert(1);var xx = '.xml` | |
4. upload this file. | |
![image](https://user-images.githubusercontent.com/88656937/288321185-e4077a74-46ef-4956-9409-b4db8f4e929c.png) | |
### Impact | |
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. |
According to https://www.cve.org/CVERecord?id=CVE-2023-50569 this seems to have the CVE-2023-50569 CVE ID, but there is as well GHSA-xwqc-7jc4-xm73 with the same text which refers to CVE-2023-50250 . So it looks CVE-2023-50569 is duplicate assignment for CVE-2023-50250
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Fixes:
raise_message_javascript() in lib/function.php: