Path-Based Cross-Site Scripting (XSS)

[andermat8]

Running version 1.1.23. Had a security scan performed on application and found 45 instances of XSS:

ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.In this case, the scanner identified the vulnerability by injecting a payload as part of the path component of the URL, as opposed to other kinds of XSS attacks that inject the payload into URL parameter values.

ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.

SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

[paulgevers]

@andermat8 this bug contains no information to act upon. You describe what an XSS is, most people here know that, as cacti has fixed XSS bugs before.

So, please describe the vulnerabilities themselves, and how to exploit them, such that they can be fixed.

[andermat8]

I have several of them so let me provide you one and let me know if this information is sufficient:
150117 Path-Based Cross-Site Scripting (XSS)

URL: http://cactiw02.web.com/cacti/graph_view.php?"%26gt;%26lt;script%26gt;_q_q=')('%26lt;/script%26gt;

Finding #
7401783 (577106947)
Severity

Confirmed Vulnerability - Level 5

Group

Cross-Site Scripting

First Time Detected

27 Sep 2017 13:23 GMT

CWE

Last Time Detected

27 Sep 2017 13:23 GMT

OWASP

Last Time Tested

27 Sep 2017 13:23 GMT

WASC

Times Detected

1

CVSS Base 4.3 CVSS Temporal 4.3

Details

Threat

XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.

In this case, the scanner identified the vulnerability by injecting a payload as part of the path component of the URL, as opposed to other kinds of XSS attacks that inject the payload into URL parameter values.

Impact

XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.

Solution

Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

Detection Information

Parameter

No param has been required for detecting the information.

Authentication

In order to detect this vulnerability, the scan required authentication to be enabled.

Payloads

#1 Request

Payload

@Append@?"><script>_q_q=')('</script>

Request

GET http://cactiw02.web.com/cacti/graph_view.php?"><script>_q_q=')('</script>

#1 Referer: http://cactiw02.web.com/cacti/
#2 Cookie: Cacti=k2e2hro911sboeqqpo3r0vmhe2;

#1 Response

$('.loginRight').css('width',parseInt($(window).width()*0.33)+'px');
});
</script>

<script type='text/javascript'> var cactiVersion='1.1.23'; var theme='classic'; var refreshIsLogout=false; var refreshPage='/cacti/graph_view.php?"><script>_q_q=')('</script>&header=false';

var refreshMSeconds=300000;
var urlPath='/cacti/';
var previousPage='';
var requestURI='/cacti/graph_view.php?"><script>_q_q=')('</script>';
var searchFilter='Enter a search term';
var searchRFilter='Enter a regula

[paulgevers]

Hi,

This is much more useful, although I miss the exact exploit. What should happen in your example?

I have 1.1.25, I don't notice anything happening, and indeed I get a slightly different response. What I see is that everything except ')( is escaped. Do this mean the issue is fixed between 1.1.23 and 1.1.25, or is there something more subtle going on.

	<script type='text/javascript'>
	var cactiVersion='1.1.25';
	var theme='classic';
	var refreshIsLogout=false;
	var refreshPage='/cacti/graph_view.php?%22%3E%3Cscript%3E_q_q=')('%3C/script%3E&header=false';
	var refreshMSeconds=300000;
	var urlPath='/cacti/';
	var previousPage='';
	var requestURI='/cacti/graph_view.php?%22%3E%3Cscript%3E_q_q=')('%3C/script%3E';

[andermat8]

It would be great if an upgrade can correct this. Let me provide you with some more:

150117 Path-Based Cross-Site Scripting (XSS)

URL: http://cactiw02.web.com/cacti/gprint_presets.php?"%26gt;%26lt;script%26gt;_q_q=')('%26lt;/script%26gt;

Finding #
7401784 (577106948)
Severity

Confirmed Vulnerability - Level 5

Group

Cross-Site Scripting

First Time Detected

27 Sep 2017 13:23 GMT

CWE

Last Time Detected

27 Sep 2017 13:23 GMT

OWASP

Last Time Tested

27 Sep 2017 13:23 GMT

WASC

Times Detected

1

CVSS Base 4.3 CVSS Temporal 4.3

Details

Threat

XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.

In this case, the scanner identified the vulnerability by injecting a payload as part of the path component of the URL, as opposed to other kinds of XSS attacks that inject the payload into URL parameter values.

Impact

XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.

Solution

Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

Detection Information

Parameter

No param has been required for detecting the information.

Authentication

In order to detect this vulnerability, the scan required authentication to be enabled.

Payloads

#1 Request

Payload

@Append@?"><script>_q_q=')('</script>

Request

GET http://cactiw02.web.com/cacti/gprint_presets.php?"><script>_q_q=')('</script>

#1 Referer: http://cactiw02.web.com/cacti/
#2 Cookie: Cacti=k2e2hro911sboeqqpo3r0vmhe2;

Click this ">link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response

sion='1.1.23';
var theme='classic';
var refreshIsLogout=true;
var refreshPage='/cacti/logout.php?action=timeout';
var refreshMSeconds=3600000;
var urlPath='/cacti/';
var previousPage='';
var requestURI='/cacti/gprint_presets.php?"><script>_q_q=')('</script>';
var searchFilter='Enter a search term';
var searchRFilter='Enter a regular expression';
var noFileSelected='No file selected';
var timeGraphView='Time Graph View';
var filterSettingsSaved='Filter Settings Saved';
var spikeKillR

[paulgevers]

CVE-2017-15194

[cigamit]

I had to update this fix slightly for issue # 1028. First, for the $_SERVER['REQUEST_URI'], I'm using the Cacti builtin function html_escape(), and for the refresh page, I'm only escaping the $_SERVER[''] branch of the logic as this negatively impacted the refresh page feature controlled in plugins.