Bug 459229 (CVE-2010-2545) - CVE-2010-2545 cacti: XSS via various object names or descriptions
Summary: CVE-2010-2545 cacti: XSS via various object names or descriptions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2545
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=redhat,public=20100709,reporte...
Depends On: 459106
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-15 08:28 UTC by Marc Schoenefeld
Modified: 2019-06-08 12:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-30 03:30:22 UTC


Attachments (Terms of Use)
patch to fix xss in cacti (948 bytes, patch)
2010-04-28 17:36 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0635 normal SHIPPED_LIVE Important: Red Hat High Performance Computing (HPC) Solution 5.5 2010-08-20 02:42:21 UTC

Description Marc Schoenefeld 2008-08-15 08:28:33 UTC
Description:

templates_import.php does not filter html metacharacters when importing
xml template files. This may cause a persistent cross-site scripting 
when importing templates from untrusted sources.


How to reproduce:

/cacti/templates_import.php: 

Import a template file with a specially crafted <name>...</name> tag, 
such as shown here.

<cacti>
    <hash_000016fe5edd777a76d48fc48c11aded5211ef>
      <name>
         Unix - Load Average<![CDATA[<script>alert(document.cookie)</script>]]>   
      </name>
...

Comment 2 OCS Support 2008-09-22 17:53:23 UTC
Fix provided to Nils in package cacti-0.8.7b-1.1.src.rpm

Comment 3 Vincent Danen 2010-04-28 17:15:40 UTC
This is not fixed in 0.8.7e which is in current HPC 1.2 (0.8.7e-1.1.el5 is in HPC, testing with 0.8.7e-3.fc12 which would have more fixes for recent issues).

This can be reproduced by going to Export Templates, select a template to export and output to browser within Cacti.  Copy this then go to Import Templates and past it in.  Then edit the <name></name> section as noted above (I copied the Cisco - CPU Usage template).

When you go back to the Export Template page after importing, you will get a popup that prints:

Cacti=8fbm1iu01ih6su8rabm7fgp8t1

which is the cookie data.  Going to the Export Template page and looking at the exported template, I see:

<name>Cisco - CPU Usage Test&lt;script&gt;alert(document.cookie)&lt;/script&gt;</name>

So it's being filtered on display/export, but it's being interpreted when the export page is being shown due to:

<select id='export_item_id' name='export_item_id'><option value='18'>Cisco - CPU Usage Test<script>alert(document.cookie)</script></option>

(not escaped when building the select list).  Looking at the list of patches upstream, this is not fixed their either.

Comment 4 Vincent Danen 2010-04-28 17:36:16 UTC
Created attachment 409911 [details]
patch to fix xss in cacti

This patch fixes the problem for me by throwing htmlspecialchars() around data pulled from the database to create the dropdown menu list.

Comment 8 Tomas Hoger 2010-06-29 09:40:04 UTC
This problem is not limited to template import.  You can inject JS into template name even when creating templates manually.  This can only be performed by cacti administrator.

Marc, was this originally reported as template import only issue due to a "cacti admin can be tricked to import untrusted template" vector?

This still affects 0.8.7f-1.

Comment 10 Tomas Hoger 2010-07-12 09:45:55 UTC
During the discussions with upstream, it was discovered that other items that can be configured in cacti and have name, or description, or similar attribute, can be used as injection vector.  In all cases, certain level of administrative privileges is required to change those attributes.  Following upstream patches added in 0.8.7g add html escaping before those attributes are printed back to generated web pages:

http://svn.cacti.net/viewvc?view=rev&revision=6037
http://svn.cacti.net/viewvc?view=rev&revision=6038
http://svn.cacti.net/viewvc?view=rev&revision=6041
http://svn.cacti.net/viewvc?view=rev&revision=6042

http://cacti.net/release_notes_0_8_7g.php

Comment 12 errata-xmlrpc 2010-08-20 02:42:40 UTC
This issue has been addressed in following products:

  Red Hat HPC Solution for RHEL 5

Via RHSA-2010:0635 https://rhn.redhat.com/errata/RHSA-2010-0635.html


Note You need to log in before you can comment on or make changes to this bug.