Skip to content

Instantly share code, notes, and snippets.

@ISHGARD-2

ISHGARD-2/gist:a6b57de899f977e2af41780e7428b4bf

Created December 6, 2023 07:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ISHGARD-2/a6b57de899f977e2af41780e7428b4bf to your computer and use it in GitHub Desktop.
Save ISHGARD-2/a6b57de899f977e2af41780e7428b4bf to your computer and use it in GitHub Desktop.
Download ZIP
Cacti v1.2.25: Cross-Site Scripting vulnerability when Import xml template file
Raw
gistfile1.txt
### Summary
A reflection XSS vulnerability was discovered. Attackers can exploit this vulnerability to perform actions on behalf of other users.
### Details
The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS.
```
$debug_data = import_xml_data($xml_data, $import_as_new, $profile_id, $remove_orphans, $replace_svalues, $import_hashes);
if (!$preview_only) {
// ...
} elseif ($debug_data !== false && cacti_sizeof($debug_data)) {
// ...
} else {
cacti_log(sprintf("ERROR: Import or Preview failed for XML file %s!", $_FILES['import_file']['name']), false, 'IMPORT');
$message_text = '';
if (cacti_sizeof($import_messages)) {
foreach($import_messages as $message) {
if (isset($messages[$message])) {
$message_text .= ($message_text != '' ? '<br>':'') . $messages[$message]['message'];
}
}
}
raise_message_javascript(__('Error in Template', 'package'), __('The Template XML file "%s" validation failed', $_FILES['import_file']['name']), __('See the cacti.log for more information, and review the XML file for proper syntax. The error details are shown below.<br><br><b>Errors:</b><br>%s', $message_text));
```
`raise_message_javascript()` function passed an XML file name, which has not been rigorously verified. The variable $header contains the file name.
```
function raise_message_javascript($title, $header, $message) {
?>
<script type='text/javascript'>
var mixedReasonTitle = '<?php print $title;?>';
var mixedOnPage = '<?php print $header;?>';
sessionMessage = {
message: '<?php print $message;?>',
level: MESSAGE_LEVEL_MIXED
};
$(function() {
displayMessages();
});
</script>
<?php
exit;
}
```
### PoC
1. Login to Cacti
2. Access to "http://ip/cacti/templates_import.php"
3. Prepare an empty XML file named `';alert(1);var xx = '.xml`
4. upload this file.
![image](https://user-images.githubusercontent.com/88656937/288321185-e4077a74-46ef-4956-9409-b4db8f4e929c.png)
### Impact
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings.
@ISHGARD-2
Copy link
Author

ISHGARD-2 commented Dec 12, 2023
edited

Fixes:
raise_message_javascript() in lib/function.php:

function raise_message_javascript($title, $header, $message) {
	?>
	<script type='text/javascript'>
	var mixedReasonTitle = '<?php print $title;?>';
	var mixedOnPage      = '<?php print $header;?>';
	sessionMessage   = {
		message: '<?php print $message;?>',
		level: MESSAGE_LEVEL_MIXED
	};

	$(function() {
		displayMessages();
	});
	</script>
	<?php
	exit;
}

@carnil
Copy link

carnil commented Dec 24, 2023

According to https://www.cve.org/CVERecord?id=CVE-2023-50569 this seems to have the CVE-2023-50569 CVE ID, but there is as well GHSA-xwqc-7jc4-xm73 with the same text which refers to CVE-2023-50250 . So it looks CVE-2023-50569 is duplicate assignment for CVE-2023-50250

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment