XSS vulnerability in Cacti https://github.com/Cacti/cacti version v1.2.21
The path of the vulnerability. In file https://github.com/Cacti/cacti/blob/develop/graphs_new.php
//line 40
switch (get_request_var('action')) {
case 'save':
form_save();
//line 117 the source in $_POST
function form_save() {
if (isset_request_var('save_component_graph')) {
/* summarize the 'create graph from host template/snmp index' stuff into an array */
foreach ($_POST as $var => $val) {
//…..
if (strpos($var, 'sgg_') !== false) {
// Note: the source in $snmp_query_id then function store_get_selected_dq_index will be called
$snmp_query_id = str_replace('sgg_', '', $var);
store_get_selected_dq_index($snmp_query_id);
}
}
//…….
}
// line 100
Note the source in $snmp_query_id
function store_get_selected_dq_index($snmp_query_id) {
// ….
} elseif (isset_request_var('sgg_' . $snmp_query_id)) {
// Note: get_filter_request_var will be called
$selected = get_filter_request_var('sgg_' . $snmp_query_id);
}
//….
}
In file https://github.com/Cacti/cacti/blob/develop/lib/html_utility.php
//line 424
// the source in the argument $name
function get_filter_request_var($name, $filter = FILTER_VALIDATE_INT, $options = array()) {
//….
//line 503
if ($value === false) {
if ($filter == FILTER_VALIDATE_IS_REGEX) {
//….
} else {
// Note: function die_html_input_error will be called
die_html_input_error($name, get_nfilter_request_var($name));
}
}
In file https://github.com/Cacti/cacti/blob/develop/lib/html_validate.php
//line 47
// Note: the source in $variable
function die_html_input_error($variable = '', $value = '', $message = '') {
//….
if ($message == '') {
// Note: the $message will include the $variable as I will explain later, then it will be printed
$message = __('Validation error for variable %s with a value of %s. See backtrace below for more details.', $variable, $value);
}
//Note: the print of the $message
$variable = ($variable != '' ? ', Variable:' . $variable : '');
$value = ($value != '' ? ', Value:' . $value : '');
if (defined('CACTI_CLI_ONLY')) {
cacti_debug_backtrace('Validation Error' . $variable . $value, false);
print $message . PHP_EOL;
exit(1);
} elseif (isset_request_var('json')) {
cacti_debug_backtrace('Validation Error' . $variable . $value, false);
print json_encode(
array(
'status' => '500',
'statusText' => __('Validation Error'),
'responseText' => $message
)
);
} else {
cacti_debug_backtrace('Validation Error' . $variable . $value, true);
print "<table style='width:100%;text-align:center;'><tr><td>$message</td></tr></table>";
bottom_footer();
}
exit;
}
}
In file https://github.com/Cacti/cacti/blob/develop/include/global_languages.php
//line 432
function __() {
global $l10n;
$args = func_get_args();
$num = func_num_args();
//….
else{
$args[0] = __gettext($args[0]);
}
/* process return string against input arguments */
return __uf(call_user_func_array('sprintf', $args));
}
}
//line 393
function __gettext($text, $domain = 'cacti') {
//….
if (!isset($translated)) {
$translated = $text;
}
//…..
return __uf($translated);
}
//line 428
function __uf($text) {
return str_replace('%%', '%', $text);
}
The vulnerability is confirmed by the developers. The email sent on 18/06/2022.