Skip to content

Instantly share code, notes, and snippets.

@enferas

enferas/XSS_Cacti.md

Last active September 22, 2022 14:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enferas/9079535112e4f4ff2c1d2ce1c099d4c2 to your computer and use it in GitHub Desktop.
Save enferas/9079535112e4f4ff2c1d2ce1c099d4c2 to your computer and use it in GitHub Desktop.
Download ZIP
XSS vulnerability in Cacti
Raw
XSS_Cacti.md

XSS vulnerability in Cacti https://github.com/Cacti/cacti version v1.2.21

The path of the vulnerability. In file https://github.com/Cacti/cacti/blob/develop/graphs_new.php

//line 40
switch (get_request_var('action')) {
              case 'save':
                            form_save();
 
//line 117 the source in $_POST
function form_save() {
              if (isset_request_var('save_component_graph')) {
                            /* summarize the 'create graph from host template/snmp index' stuff into an array */
                            foreach ($_POST as $var => $val) {
                            //…..
                           if (strpos($var, 'sgg_') !== false) {
                                                         // Note: the source in $snmp_query_id then function store_get_selected_dq_index will be called
                                                         $snmp_query_id = str_replace('sgg_', '', $var);
                                                        store_get_selected_dq_index($snmp_query_id);
                                          }
                            }
            //…….
}
// line 100
Note the source in $snmp_query_id
function store_get_selected_dq_index($snmp_query_id) {
              // ….
              } elseif (isset_request_var('sgg_' . $snmp_query_id)) {
                             // Note: get_filter_request_var will be called
                            $selected = get_filter_request_var('sgg_' . $snmp_query_id);
              }
//….
}

In file https://github.com/Cacti/cacti/blob/develop/lib/html_utility.php

//line 424
// the source in the argument $name
function get_filter_request_var($name, $filter = FILTER_VALIDATE_INT, $options = array()) {
//….
//line 503
if ($value === false) {
                                          if ($filter == FILTER_VALIDATE_IS_REGEX) {
                                                         //….
                                          } else {
                                                         // Note: function die_html_input_error will be called
                                                         die_html_input_error($name, get_nfilter_request_var($name));
                                          }
                            }

In file https://github.com/Cacti/cacti/blob/develop/lib/html_validate.php

//line 47
// Note: the source in $variable
function die_html_input_error($variable = '', $value = '', $message = '') {
              //….
 
              if ($message == '') {
              // Note: the $message will include the $variable as I will explain later, then it will be printed
              $message = __('Validation error for variable %s with a value of %s.  See backtrace below for more details.', $variable, $value);
              }
              //Note: the print of the $message
             $variable = ($variable != '' ? ', Variable:' . $variable : '');
              $value    = ($value    != '' ? ', Value:'    . $value    : '');
 
              if (defined('CACTI_CLI_ONLY')) {
                            cacti_debug_backtrace('Validation Error' . $variable . $value, false);
                            print $message . PHP_EOL;
                            exit(1);
              } elseif (isset_request_var('json')) {
                            cacti_debug_backtrace('Validation Error' . $variable . $value, false);
                            print json_encode(
                                          array(
                                                         'status' => '500',
                                                         'statusText' => __('Validation Error'),
                                                         'responseText' => $message
                                          )
                            );
              } else {
                            cacti_debug_backtrace('Validation Error' . $variable . $value, true);
 
                            print "<table style='width:100%;text-align:center;'><tr><td>$message</td></tr></table>";
                            bottom_footer();
              }
 
              exit;
}
}

In file https://github.com/Cacti/cacti/blob/develop/include/global_languages.php

//line 432
function __() {
              global $l10n;
 
              $args = func_get_args();
              $num  = func_num_args();
 
              //….
                            else{
                                          $args[0] = __gettext($args[0]);
                            }
 
                            /* process return string against input arguments */
                            return __uf(call_user_func_array('sprintf', $args));
              }
}
 
//line 393
function __gettext($text, $domain = 'cacti') {
              //….
 
              if (!isset($translated)) {
                            $translated = $text;
              } 
 
              //…..
              return __uf($translated);
}
 
//line 428
function __uf($text) {
              return str_replace('%%', '%', $text);
}

The vulnerability is confirmed by the developers. The email sent on 18/06/2022.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment