Cacti, an open-source operational monitoring and fault management framework, has been identified with a Stored Cross-Site-Scripting (XSS) vulnerability in certain versions. This security issue allows an authenticated user to poison data stored in the Cacti's database which can be viewed and executed by other administrative users. In this long read, we will delve into the details of the exploit, its impact, and steps that can be taken to secure your Cacti installation against this vulnerability.

Exploit Details

CVE-2023-39516, as the vulnerability has been identified, affects Cacti versions up to and including version 1.2.24. This security flaw allows an attacker with 'General Administration> Sites/Devices/Data' permissions to configure a malicious data-source path that would trigger an XSS attack against other users with similar or broader permissions.

The affected script, data_sources.php, handles data source management information, including data source paths and polling configurations. When an adversary is able to configure a malicious data-source path, they can execute JavaScript code on the victim's browser upon viewing the affected page.

For demonstration purposes, let's assume an attacker inserts the following malicious code as a data source path:

javascript:alert('XSS Attack!');

This configuration can be done using the http://<HOST>/cacti/data_sources.php page, which is also used for previewing the data source path. When an administrator previews or views the path, the JavaScript code will execute, exposing them to the attacker's stored XSS attack.

For further information, refer to the following original references

- Official Cacti website: https://www.cacti.net/
- Cacti GitHub repository: https://github.com/Cacti/cacti
- CENSUS Security Advisory: https://census-labs.com/2023/01/01/cve-2023-39516-cacti-stored-xss/
- CVE-2023-39516 (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-39516
- Release notes for Cacti 1.2.25: https://github.com/Cacti/cacti/blob/develop/CHANGELOG.md

Mitigation

To protect your Cacti installation against this vulnerability, it is strongly recommended to upgrade to Cacti version 1.2.25 or newer, which addresses this issue. Upgrading instructions can be found in the official Cacti documentation here: https://docs.cacti.net/manual:099:upgrading

If upgrading is not an option, users can manually escape HTML output to prevent execution of malicious JavaScript codes. This can be achieved by editing the data_sources.php script and implementing proper data sanitization techniques to strip out any malicious content before rendering the output.

Conclusion

CVE-2023-39516 is a stored XSS vulnerability affecting Cacti installations, allowing an authenticated attacker to insert malicious JavaScript code in data-source paths and execute them on the victim's browser when viewed by administrative users. This vulnerability highlights the importance of regularly updating your software to ensure the latest security fixes are applied. Users are advised to upgrade to Cacti version 1.2.25 or implement manual mitigation steps as described above to protect their systems from this exploit.

Timeline

Published on: 09/05/2023 22:15:09 UTC
Last modified on: 11/09/2023 05:15:10 UTC