A reflection XSS vulnerability was discovered. Attackers can exploit this vulnerability to perform actions on behalf of other users.
$debug_data = import_xml_data($xml_data, $import_as_new, $profile_id, $remove_orphans, $replace_svalues, $import_hashes);
if (!$preview_only) {
// ...
} elseif ($debug_data !== false && cacti_sizeof($debug_data)) {
// ...
} else {
cacti_log(sprintf("ERROR: Import or Preview failed for XML file %s!", $_FILES['import_file']['name']), false, 'IMPORT');
$message_text = '';
if (cacti_sizeof($import_messages)) {
foreach($import_messages as $message) {
if (isset($messages[$message])) {
$message_text .= ($message_text != '' ? '<br>':'') . $messages[$message]['message'];
}
}
}
raise_message_javascript(__('Error in Template', 'package'), __('The Template XML file "%s" validation failed', $_FILES['import_file']['name']), __('See the cacti.log for more information, and review the XML file for proper syntax. The error details are shown below.<br><br><b>Errors:</b><br>%s', $message_text));
function raise_message_javascript($title, $header, $message) {
?>
<script type='text/javascript'>
var mixedReasonTitle = '<?php print $title;?>';
var mixedOnPage = '<?php print $header;?>';
sessionMessage = {
message: '<?php print $message;?>',
level: MESSAGE_LEVEL_MIXED
};
$(function() {
displayMessages();
});
</script>
<?php
exit;
}
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings.
ISHGARD-2 Reporter
TheWitness Remediation developer
netniV Coordinator
Summary
A reflection XSS vulnerability was discovered. Attackers can exploit this vulnerability to perform actions on behalf of other users.
Details
The vulnerability is found in
templates_import.php.When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS.raise_message_javascript()function passed an XML file name, which has not been rigorously verified. The variable $header contains the file name.PoC
';alert(1);var xx = '.xmlImpact
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings.