A Stored Cross-Site Scripting (Stored XSS) vulnerability was recently discovered in Cacti that allows an authenticated user to poison the data stored in Cacti’s database.
Moreover, administrative accounts can view this poisoned data, and JS code executes on the victim’s browser when viewed.
Cacti is a web-based open-source network monitoring, fault, and configuration management tool that acts as an RRDtool (round-robin database tool). It allows users to poll services at specified intervals and provide a resulting graph.
Cacti Cross-Site-Scripting Vulnerability
Cacti has a PHP file under the name “report_admin.php,” which displays reporting information about graphs, devices, data sources, etc. This page can be viewed only by administrative accounts with additional privileges.
This page can be supplied with a malicious device name related to the graph on the report, which can result in stored XSS.
Users who have General Administration>Sites/Devices/Data permissions can configure a device name in Cacti.
The configuration occurs through the http://<HOST>/cacti/host.php and is rendered at http://<HOST>/cacti/reports_admin.php.
Hence, a threat actor can supply the malicious device name at the host.php, and the malicious payload will be executed at the reports_admin.php.
This malicious payload execution was due to the concatenation of the $title variable with a non-escaped $description variable on the call-pipeline code, resulting in a malicious JS code affecting the victim browser’s DOM. This leads to the stored XSS attack.
Administrative accounts view the reports_admin.php page with a GET request where the malicious JS code gets executed.
The HTTP response for this request consists of the malicious payload as an HTML tag.
If threat actors are successful in exploiting this vulnerability, they can perform.
- Account TakeOver (ATO)
- Perform malicious actions as the victim user
- Redirecting the user to a malicious website
- Retrieve sensitive information by disguising it as the Cacti webpage
- Browser-based exploitation and attacks
- Make a botnet and conduct a DDoS attack.
A complete report about this Stored XSS vulnerability has been published on GitHub, providing additional information about the methods of execution and impacts.
Organizations using Cacti are recommended to make the data as a text element in the rendered HTML so that the malicious code block does not get executed in the final HTML output.