Cacti is a widely used, open-source operational monitoring and fault management framework. It provides a powerful and easy-to-use web interface for users to manage SNMP-enabled network devices and servers. Unfortunately, in a recent vulnerability discovery, it was found that affected versions of Cacti are subject to stored Cross-Site Scripting (XSS) attacks. This vulnerability allows an authenticated user to poison data stored in Cacti's database, potentially leading to dangerous scenarios and unauthorized access.
Exploit Details
The vulnerability, CVE-2023-39515, was discovered by the research team at CENSUS. The problematic script, data_debug.php, displays data source related debugging information such as data source paths, polling settings, and metadata on the data source. CENSUS found that an adversary who is able to configure a malicious data-source path can deploy a stored XSS attack against any user with privileges related to viewing the data_debug.php information.
A user with General Administration > Sites/Devices/Data permissions can configure the data source path in Cacti. This configuration occurs through the following URL: http://<HOST>/cacti/data_sources.php.
To demonstrate the potential risk, let's look at a simple example of a malicious data source path
<svg/onload=alert('XSS Attack')>
By embedding this path in Cacti's data_sources.php form, an attacker could execute JavaScript code in the victim's browser when they view the poisoned data.
Mitigation
Cacti's development team has addressed this issue in version 1.2.25, so the best way to protect yourself against this vulnerability is to upgrade your Cacti installation. Download the latest version here: Cacti 1.2.25
If you are unable to update your Cacti installation, an alternative mitigation method is to manually filter HTML output. This can be achieved by sanitizing any data received from users before it is saved in the database, effectively preventing the stored XSS attack from occurring.
To learn more about this vulnerability, check out the following resources
- Cacti Home Page
- CVE-2023-39515 Details
- CENSUS Security Advisory
Conclusion
CVE-2023-39515 is a concerning stored Cross-Site Scripting vulnerability affecting Cacti's data_sources.php functionality. To prevent attacks, users are advised to either upgrade their Cacti installations to version 1.2.25 or manually filter HTML output. Stay vigilant and keep your systems up-to-date to protect against potential threats.
Timeline
Published on: 09/05/2023 21:15:47 UTC
Last modified on: 11/09/2023 05:15:10 UTC