lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 1 Apr 2013 08:46:04 -0300
From: Daniel Ricardo dos Santos <>
Subject: Network Weathermap 0.97a - Persistent XSS

Network Weathermap 0.97a - Persistent XSS
Earlier versions are also possibly vulnerable.


Product: Network Weathermap 0.97a
Remote-exploit: yes

Discovered by: Daniel Ricardo dos Santos
CVE Request - 15/03/2013
CVE Assign - 18/03/2013
CVE Number - CVE-2013-2618
Vendor notification - 18/03/2013
Vendor reply - No reply
Public disclosure - 01/04/2013


Network Weathermap 0.97a is vulnerable to a persistent XSS when displaying
available files.


Network Weathermap is a network visualisation tool, to take data you
already have and show you an overview of your network in map form.
Support is built in for RRD, MRTG (RRD and old log-format), and
tab-delimited text files. Other sources are via plugins or external scripts.


The vulnerability happens when a user injects HTML and Javascript into the
title of a map in editor.php. This title is later shown to the user when
listing the files in editor.php?action=newfile

Besides the title, other fields also allow an attacker to upload malicious
PHP code to a webserver, which can later be executed if the attacker has
direct acess to that file.

This application is often used as a plugin for Cacti. The vulnerability can
be exploited in this mode as well, in
weathermap-cacti-plugin-mgmt.php?action=viewconfig&file=<affected_file> and
it can be used to exploit Cacti.

To test it, simply create a map or edit an existing one:
GET editor.php?mapname=test&action=newmap

Then edit the map title with the payload:
POST editor.php

Then display the titles:
GET editor.php


Tested with version 0.97a (current release) but earlier versions are
possibly vulnerable.


There is no official patch currently available.


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2013-2618 to this issue. This is a candidate for inclusion in
the CVE list (, which standardizes names for
security problems.


Daniel Ricardo dos Santos
SEC+ Information Security Company -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists