1 Moritz Naumann <security@moritz−naumann.com>
2
3 cacti:
4 http://www.cacti.net/
5
6 =================================================================
7 Cacti 0.8.7e and earlier versions are affected by multiple security
8 issues. Issues 1−4 are cross site scripting issues, issue 5 is a
9 priviledge escalation issue.
10
11
12
13
14 1. XSS 1
15
16 A HTTP GET request against the following URL will, on a web browser
17 with Javascript support, cause a dialog box saying ’1’ to be displayed:
18
19 http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(
1)%3C/script%3E%3Cx%20y=%27
20
21 This vulnerability is only exploitable if the victim is allowed to view
22 graphs. This will be true if the victim has previously authenticated
23 against Cacti or if both the guest user has been activated (default:
24 disabled) and the graph view permission was set to ’guest’ (default:
25 ’No User’).
26
27 This vulnerability was tested with Firefox 3.0.6.
28
29 The Cacti group provides a patch to fix this vulnerability:
30 http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch
31
32
33
34 2. XSS 2
35
36 The following curl invocation will generate a HTTP POST request
37 against
38
39 http://CACTIHOST/graph_view.php?action=tree&tree_id=1&leaf_id=7&select_first=true
40
41 with an ’application/x−www−form−urlencoded’ content type HTTP body part
42 containing
43 date1=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3Cx+y%3D%27’
44 Curl will write the resulting output to a file named poc.html.
45
46 > curl −d ’date1=%27%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E%3Cx+y%3D%27’ ’http://CACTIHOST/graph_view.php?action=t
ree&tree_id=1&leaf_id=7&select_first=true’ > poc.html
47
48 When this file is loaded and rendered by a web browser with Javascript
49 support, this will cause a dialog box saying ’2’ to be displayed.
50
Page 1/3
Cacti 0.8.7e Multiple Security Issues
Moritz Naumann
11/26/2009
51 This vulnerability is only exploitable if the victim is allowed to view
52 graphs.