Researchers at FortiGuard Labs recently discovered a cross-site scripting vulnerability in Cacti, a powerful web-based tool for collecting and graphing time series data. Cacti is frequently used for monitoring and presenting a variety of metrics in IT, ranging from CPU fan speeds and temperatures to network traffic. It is free and open source and has been widely adopted due to its extensibility and complete set of monitoring and graphing tools.
The vulnerability itself resulted from insufficient sanitization of user-supplied data sent to a particular page in the application. According to FortiGuard Labs, “Successful exploitation of this vulnerability would allow injection and execution of arbitrary HTML and script code in the target user's browser”. Attackers could use the vulnerability to launch more sophisticated attacks by redirecting users and setting up drive-by downloads.
Cacti, like most tools used internally by IT, is often not protected by a web application firewall or other security gateway. If an attacker can obtain a valid Cross-Site Request Forgery (CSRF) token and has "View Graphs" and "Update Graphs" permissions, they can exploit this vulnerability. FortiGuard researchers were able to successfully inject malicious scripts that redirected users of Cacti to other web pages not on the Cacti web application instance.
This stored cross-site scripting (XSS) vulnerability was patched in the most recent release of Cacti, version 0.8.8d, released on June 19th, 2015. FortiGuard researchers documented the vulnerability in version 0.8.8c, but it may affect earlier versions of the software as well. All users of Cacti are encouraged to update to the latest release.
The Cacti vulnerability is also a reminder of potential security holes in internal applications. While most organizations focus on security customer-facing applications, those used for internal purposes are often not given the same degree of security. At first blush, this seems sensible, but the potential for harm in the event of a compromise can be significant. The use of web application firewalls and internal network firewalls can mitigate many such internal vulnerabilities.