Re: squeeze update of cacti?

[Paul Gevers <elbrus@debian.org>]

Hi all,

On 12-12-15 13:41, Paul Gevers wrote:
> Please don't, upstream already has a patch in SVN¹, but didn't mark the
> bug (I just did).

Please find attached the debdiff that I could come up with from my work
on sid, jessie and wheezy. It isn't tested yet (I don't have a suitable
setup for that) so I appreciate it if somebody could check the patch
doesn't break graph.php.

Paul

diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,10 @@
+cacti (0.8.7g-1+squeeze10) squeeze-lts; urgency=high
+
+  * Add upstream patch to fix (Closes: #807599)
+    - CVE-2015-8369 SQL Injection vulnerability in graph.php
+
+ -- Paul Gevers <elbrus@debian.org>  Sun, 13 Dec 2015 20:48:52 +0100
+
 cacti (0.8.7g-1+squeeze9) squeeze-lts; urgency=high
 
   * Non-maintainer upload by the Squeeze LTS Team.
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -28,0 +29 @@
+CVE-2015-8369_sql_injection_in_graph.php.patch
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-8369_sql_injection_in_graph.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-8369_sql_injection_in_graph.php.patch
@@ -0,0 +1,206 @@
+From 1d85f9ab30af9558eb1da3a3c73a2551e08ec1ee Mon Sep 17 00:00:00 2001
+From: cigamit <cigamit@860744bd-22fc-0310-8c96-e9fe5004b5ca>
+Date: Sat, 28 Nov 2015 20:08:16 +0000
+Subject: [PATCH] -bug:0002646: SQL injection in graph.php
+
+git-svn-id: svn://svn.cacti.net/cacti/cacti@7767 860744bd-22fc-0310-8c96-e9fe5004b5ca
+---
+ tags/0.8.8g/graph.php                    | 78 ++++++++++++++++----------------
+ tags/0.8.8g/include/top_graph_header.php |  4 +-
+ 3 files changed, 42 insertions(+), 41 deletions(-)
+
+Index: cacti/graph.php
+===================================================================
+--- cacti.orig/graph.php
++++ cacti/graph.php
+@@ -27,45 +27,45 @@ if (!isset($_REQUEST["action"])) { $_REQ
+ if (!isset($_REQUEST["view_type"])) { $_REQUEST["view_type"] = ""; }
+ 
+ $guest_account = true;
++/* ================= input validation ================= */
++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
++input_validate_input_number(get_request_var_request("local_graph_id"));
++input_validate_input_number(get_request_var_request("graph_end"));
++input_validate_input_number(get_request_var_request("graph_start"));
++input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
++/* ==================================================== */
++
+ include("./include/auth.php");
+ include_once("./lib/rrd.php");
+ include_once("./lib/html_tree.php");
+ include_once("./include/top_graph_header.php");
+ 
+-/* ================= input validation ================= */
+-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
+-input_validate_input_number(get_request_var("local_graph_id"));
+-input_validate_input_number(get_request_var("graph_end"));
+-input_validate_input_number(get_request_var("graph_start"));
+-input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
+-/* ==================================================== */
+-
+-if (!isset($_GET['rra_id'])) {
+-	$_GET['rra_id'] = 'all';
++if (!isset($_REQUEST['rra_id'])) {
++	$_REQUEST['rra_id'] = 'all';
+ }
+ 
+-if ($_GET["rra_id"] == "all") {
++if ($_REQUEST["rra_id"] == "all") {
+ 	$sql_where = " where id is not null";
+ }else{
+-	$sql_where = " where id=" . $_GET["rra_id"];
++	$sql_where = " where id=" . $_REQUEST["rra_id"];
+ }
+ 
+ /* make sure the graph requested exists (sanity) */
+-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) {
++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) {
+ 	print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit;
+ }
+ 
+ /* take graph permissions into account here, if the user does not have permission
+ give an "access denied" message */
+ if (read_config_option("auth_method") != 0) {
+-	$access_denied = !(is_graph_allowed($_GET["local_graph_id"]));
++	$access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));
+ 
+ 	if ($access_denied == true) {
+ 		print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit;
+ 	}
+ }
+ 
+-$graph_title = get_graph_title($_GET["local_graph_id"]);
++$graph_title = get_graph_title($_REQUEST["local_graph_id"]);
+ 
+ if ($_REQUEST["view_type"] == "tree") {
+ 	print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>";
+@@ -73,7 +73,7 @@ if ($_REQUEST["view_type"] == "tree") {
+ 	print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>";
+ }
+ 
+-$rras = get_associated_rras($_GET["local_graph_id"]);
++$rras = get_associated_rras($_REQUEST["local_graph_id"]);
+ 
+ switch ($_REQUEST["action"]) {
+ case 'view':
+@@ -94,12 +94,12 @@ case 'view':
+ 					<table width='1' cellpadding='0'>
+ 						<tr>
+ 							<td>
+-								<img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
++								<img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
+ 							</td>
+ 							<td valign='top' style='padding: 3px;' class='noprint'>
+-								<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
+-								<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+-								<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
++								<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
++								<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++								<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
+ 							</td>
+ 						</tr>
+ 						<tr>
+@@ -129,7 +129,7 @@ case 'zoom':
+ 	}
+ 
+ 	/* fetch information for the current RRA */
+-	$rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]);
++	$rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]);
+ 
+ 	/* define the time span, which decides which rra to use */
+ 	$timespan = -($rra["timespan"]);
+@@ -140,24 +140,24 @@ case 'zoom':
+ 		FROM (data_template_data,data_template_rrd,graph_templates_item)
+ 		WHERE graph_templates_item.task_item_id=data_template_rrd.id
+ 		AND data_template_rrd.local_data_id=data_template_data.local_data_id
+-		AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] .
++		AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] .
+ 		" LIMIT 0,1");
+ 	$ds_step = empty($ds_step) ? 300 : $ds_step;
+ 	$seconds_between_graph_updates = ($ds_step * $rra["steps"]);
+ 
+ 	$now = time();
+ 
+-	if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) {
+-		$graph_end = $_GET["graph_end"];
++	if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) {
++		$graph_end = $_REQUEST["graph_end"];
+ 	}else{
+ 		$graph_end = $now - $seconds_between_graph_updates;
+ 	}
+ 
+-	if (isset($_GET["graph_start"])) {
+-		if (($graph_end - $_GET["graph_start"])>$max_timespan) {
++	if (isset($_REQUEST["graph_start"])) {
++		if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) {
+ 			$graph_start = $now - $max_timespan;
+ 		}else {
+-			$graph_start = $_GET["graph_start"];
++			$graph_start = $_REQUEST["graph_start"];
+ 		}
+ 	}else{
+ 		$graph_start = $now + $timespan;
+@@ -172,7 +172,7 @@ case 'zoom':
+ 		graph_templates_graph.height,
+ 		graph_templates_graph.width
+ 		from graph_templates_graph
+-		where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]);
++		where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]);
+ 
+ 	$graph_height = $graph["height"];
+ 	$graph_width = $graph["width"];
+@@ -210,11 +210,11 @@ case 'zoom':
+ 			<table width='1' cellpadding='0'>
+ 				<tr>
+ 					<td>
+-						<img id='zoomGraphImage' src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
++						<img id='zoomGraphImage' src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
+ 					</td>
+ 					<td valign='top' style='padding: 3px;' class='noprint'>
+-						<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
+-						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++						<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
++						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+ 					</td>
+ 				</tr>
+ 				<tr>
+@@ -242,16 +242,16 @@ case 'properties':
+ 			<table width='1' cellpadding='0'>
+ 				<tr>
+ 					<td>
+-						<img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
++						<img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
+ 					</td>
+ 					<td valign='top' style='padding: 3px;'>
+-						<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
+-						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++						<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
++						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+ 					</td>
+ 				</tr>
+ 				<tr>
+ 					<td colspan='2' align='center'>
+-						<strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong>
++						<strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong>
+ 					</td>
+ 				</tr>
+ 			</table>
+Index: cacti/include/top_graph_header.php
+===================================================================
+--- cacti.orig/include/top_graph_header.php
++++ cacti/include/top_graph_header.php
+@@ -129,12 +129,12 @@ if (isset($_REQUEST["action"]) && $_REQU
+ 			$graph_data_array["print_source"] = true;
+ 
+ 			/* override: graph start time (unix time) */
+-			if (!empty($_GET["graph_start"])) {
++			if (!empty($_REQUEST["graph_start"])) {
+ 				$graph_data_array["graph_start"] = get_request_var_request("graph_start");
+ 			}
+ 
+ 			/* override: graph end time (unix time) */
+-			if (!empty($_GET["graph_end"])) {
++			if (!empty($_REQUEST["graph_end"])) {
+ 				$graph_data_array["graph_end"] = get_request_var_request("graph_end");
+ 			}
+

Attachment: signature.asc
Description: OpenPGP digital signature