Zero-Day Advisory

Fortinet Discovers Cacti Cross-Site Scripting (XSS) Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in Cacti.
Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of these are wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices.
The vulnerability exists due to insufficiently sanitizing user-supplied data in HTTP request sent to graphs.php so that remote attackers can exploit it to launch XSS attack. Successful exploitation of this vulnerability would allow injection and execution of arbitrary HTML and script code in the target user's browser in the security context of the affected Cacti.

Solutions

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

Cacti.graphs.php.XSS
Released Mar 19, 2015

Users should apply the solution provided by Cacti.

Additional Information

This is a stored cross-site scripting vulnerability. Only "View Graphs" and "Update Graphs" permissions are required to exploit it.

Acknowledgement

This vulnerability was discovered by Honggang Ren of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.