CVE-2018-10059 in Cacti
Summary
by MITRE
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/28/2023
The vulnerability identified as CVE-2018-10059 represents a cross-site scripting weakness in the Cacti network monitoring platform affecting versions prior to 1.1.37. This flaw stems from an insecure coding practice where the get_current_page function within the lib/functions.php file utilizes $_SERVER['PHP_SELF'] for page name determination rather than the more secure $_SERVER['SCRIPT_NAME'] variable. The use of PHP_SELF introduces significant security risks as it includes the query string parameters and can be manipulated by attackers to inject malicious scripts into the application's response. This particular implementation vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications. The issue creates a pathway for malicious actors to execute arbitrary JavaScript code within the context of a victim's browser session, potentially leading to unauthorized actions or data exfiltration.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious URL containing script payloads that gets processed by the vulnerable Cacti application. When the get_current_page function processes the PHP_SELF variable, it fails to properly sanitize or validate the input before incorporating it into the application's output. This allows attackers to inject malicious JavaScript code that executes in the browser of any user who visits the crafted URL or interacts with the affected application components. The vulnerability is particularly concerning because it affects core application functionality that determines page context, making it a persistent threat throughout the application's operation. According to ATT&CK framework category T1059, this vulnerability enables adversaries to execute code in the victim's browser environment, potentially leading to session hijacking or further exploitation of the compromised system.
The operational impact of CVE-2018-10059 extends beyond simple script injection, as it can lead to complete session compromise and unauthorized access to network monitoring data. An attacker who successfully exploits this vulnerability can manipulate the Cacti interface to redirect users to malicious sites, steal authentication cookies, or execute commands on behalf of authenticated users. The vulnerability affects all users who interact with the vulnerable Cacti installation, making it particularly dangerous in enterprise environments where network monitoring systems are critical infrastructure components. The exploitation requires minimal sophistication and can be automated, making it attractive to threat actors seeking to establish persistent access to network monitoring systems. Organizations using Cacti for network monitoring face significant risk if they do not apply the necessary patch to upgrade to version 1.1.37 or later, as this vulnerability can provide attackers with a foothold to expand their access within the network infrastructure. The flaw demonstrates the importance of proper input validation and the use of secure coding practices when handling server variables that influence application behavior and output generation.
The recommended mitigation strategy involves upgrading to Cacti version 1.1.37 or later, which contains the fix that addresses the insecure use of PHP_SELF in favor of the more secure SCRIPT_NAME variable. Organizations should also implement additional security measures such as input validation for all user-supplied data, proper output encoding, and regular security assessments of web applications. Network administrators should monitor for any suspicious activity or unauthorized access attempts that might indicate exploitation of this vulnerability. The patch addresses the root cause by ensuring that page name determination uses a server variable that does not include query string parameters, thereby preventing malicious input from being incorporated into the application's response. This remediation aligns with security best practices outlined in OWASP Top Ten and other industry standards for web application security, emphasizing the critical importance of secure coding practices and proper server variable handling in preventing common web vulnerabilities.