Giters

Cacti / cacti

Cacti ™

Home Page:http://www.cacti.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

some vulns found in cacti 1.1.15

kevinoclam opened this issue · comments

commented

I found some vulns in cacti 1.1.15

the uncorrected fix to isue847(CVE-2017-11163)
another xss vuln
a path travel vuln
a code exec vuln

XSS
./lib/html_form.php
line 1153
$cancel_action = "<input type='button' onClick='cactiReturnTo(\"" . htmlspecialchars($cancel_url) . "\")' value='" . $calt . "'>";
well, htmlspecialchars() do not filte ' in default
http://php.net/manual/en/function.htmlspecialchars.php
you should use htmlspecialchars($cancel_url, ENT_QUOTES)
this cause the fix to issue847(CVE-2017-11163) didn't work well
and the fix to issue#867 maybe also use htmlspecialchars($_SESSION['profile_referer'],ENT_QUOTES)
and it can be also works at ./graphs_new.php
the request
default
the xss code works
default

path travel
./utilities.php
line 868
$logfile = read_config_option('path_cactilog');
well, the para 'path_cactilog' can be edit at setting~path page, so authenticated user can change the path of log file to get any file on the server, for example /etc/passwd
edit path at setting page
default
get the content of /etc/passwd at log_view
default

code exec
./spikekill.php
line 66~73
$results .= shell_exec(read_config_option('path_php_binary') . ' -q ' . $config['base_path'] . '/cli/removespikes.php ' . ' -R=' . $data_source_path . (isset_request_var('dryrun') ? ' --dryrun' : '') . (isset_request_var('method') ? ' -M=' . get_nfilter_request_var('method'):'') . (isset_request_var('avgnan') ? ' -A=' . get_nfilter_request_var('avgnan'):'') . (isset_request_var('outlier-start') ? ' --outlier-start=' . get_nfilter_request_var('outlier-start'):'') . (isset_request_var('outlier-end') ? ' --outlier-end=' . get_nfilter_request_var('outlier-end'):'') . ' -U=' . $_SESSION['sess_user_id'] . ' --html');

the para path_php_binary is also can be edit by a authorized user , just like the path of the log,
so just put this para into shell_exec() can cause a code exec vuln
edit path_php_binary at setting, as well as other para
default
send the request to ./spikekill.php
default
find the 123.txt file at /tmp/
default

an unauthorized attack can use a Social Engineering way to use the xss vuln and get the cookie of an authorized user, then became an authorized attacker to perform the path travel and code exec

Chen ruiqi
Codesafe Team

commented

The three issues about an authorized user altering settings to values that do expectedly bad things does not equate to a vuln IMHO. It would be similar to a gun owner placing a loaded gun in their pocket without the safety off and then shooting themselves in the foot five minutes later while the gun was still in their pocket.

So, the html_form.php issue. Yup, good one and the spikekill issue is a potential issue, but not the one you reported which is equivalent to the one above. It's more of a potential shell escaping issue that needs to be reviewed. It may, in the end, not be an issue.

Thanks for keeping us honest.

commented

thanks for the quick reply and the fix
and it's a really good example with the gun man
I report all those just because I found them all, and it's my duty to report all to you
Best wishes

commented

We appreciate you efforts. Thanks!

commented

well, I found that the patch to issue 867 should also add ENT_QUOTES

commented

That's cleared up too.

commented

what a rce ?
just normal function