Hi all, I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully). However, due to differences in the mysql version I am not able to test the changes easily myself. I will try to upload the package to some location for testing before, but at this moment I can't find how I can put stuff on e.g. people.debian.org (it must be somewhere in the documentation). Debdiff attached, package builds correctly. Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,19 @@
+cacti (0.8.7g-1+squeeze6) squeeze-lts; urgency=high
+
+ * Security update
+ - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+ before 0.8.8d allows remote attackers to inject arbitrary web script
+ or HTML via unspecified vectors.
+ - CVE-2015-4342 SQL Injection and Location header injection from cdef
+ id
+ - CVE-2015-4454 SQL injection vulnerability in the
+ get_hash_graph_template function in lib/functions.php in Cacti before
+ 0.8.8d allows remote attackers to execute arbitrary SQL commands via
+ the graph_template_id parameter to graph_templates.php.
+ - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
+
+ -- Paul Gevers <elbrus@debian.org> Tue, 23 Jun 2015 21:22:55 +0200
+
cacti (0.8.7g-1+squeeze5) squeeze-lts; urgency=high
* Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -22,0 +23,4 @@
+CVE-2015-2665_XSS_in_graphs.php.patch
+CVE-2015-4342_SQL_injection_in_cdef.php.patch
+CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
+CVE-2015-XXXX_SQL_injection_in_tab.patch
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch
@@ -0,0 +1,18 @@
+Description: CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+ before 0.8.8d allows remote attackers to inject arbitrary web script
+ or HTML via unspecified vectors.
+Source: http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch
+
+Index: cacti/graphs.php
+===================================================================
+--- cacti.orig/graphs.php
++++ cacti/graphs.php
+@@ -1325,7 +1325,7 @@ function graph() {
+ /* we're escaping strings here, so no need to escape them on form_selectable_cell */
+ $template_name = ((empty($graph["name"])) ? "<em>None</em>" : htmlspecialchars($graph["name"]));
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $graph["local_graph_id"]); $i++;
+- form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"]) . "'>" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]);
++ form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"], ENT_QUOTES) . "'>" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]);
+ form_selectable_cell($graph["local_graph_id"], $graph["local_graph_id"]);
+ form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", $template_name) : $template_name), $graph["local_graph_id"]);
+ form_selectable_cell($graph["height"] . "x" . $graph["width"], $graph["local_graph_id"]);
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch
@@ -0,0 +1,39 @@
+Description: CVE-2015-4342 SQL Injection and Location header injection
+ from cdef id
+Bug: http://bugs.cacti.net/view.php?id=2571
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7719
+
+Index: cacti/lib/functions.php
+===================================================================
+--- cacti.orig/lib/functions.php
++++ cacti/lib/functions.php
+@@ -1947,6 +1947,9 @@ function get_hash_data_input($data_input
+ @arg $sub_type (optional) return the hash for a particlar sub-type of this type
+ @returns - a 128-bit, hexadecimal hash */
+ function get_hash_cdef($cdef_id, $sub_type = "cdef") {
++ if (! is_numeric($cdef_id)) {
++ $cdef_id = -1;
++ }
+ if ($sub_type == "cdef") {
+ $hash = db_fetch_cell("select hash from cdef where id=$cdef_id");
+ }elseif ($sub_type == "cdef_item") {
+Index: cacti/cdef.php
+===================================================================
+--- cacti.orig/cdef.php
++++ cacti/cdef.php
+@@ -107,6 +107,15 @@ function draw_cdef_preview($cdef_id) {
+ -------------------------- */
+
+ function form_save() {
++
++ // make sure ids are numeric
++ if (isset($_POST["id"]) && ! is_numeric($_POST["id"])) {
++ $_POST["id"] = 0;
++ }
++ if (isset($_POST["cdef_id"]) && ! is_numeric($_POST["cdef_id"])) {
++ $_POST["cdef_id"] = 0;
++ }
++
+ if (isset($_POST["save_component_cdef"])) {
+ $save["id"] = $_POST["id"];
+ $save["hash"] = get_hash_cdef($_POST["id"]);
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
@@ -0,0 +1,24 @@
+Description: CVE-2015-4454 SQL injection vulnerability in the
+ get_hash_graph_template function in lib/functions.php in Cacti before
+ 0.8.8d allows remote attackers to execute arbitrary SQL commands via
+ the graph_template_id parameter to graph_templates.php.
+Bug: http://bugs.cacti.net/view.php?id=2572
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7720
+
+Index: cacti/graph_templates.php
+===================================================================
+--- cacti.orig/graph_templates.php
++++ cacti/graph_templates.php
+@@ -85,6 +85,12 @@ switch ($_REQUEST["action"]) {
+ -------------------------- */
+
+ function form_save() {
++
++ // sanitize ids
++ if (isset($_POST["graph_template_id"]) && ! is_numeric($_POST["graph_template_id"])) {
++ $_POST["graph_template_id"] = 0;
++ }
++
+ if (isset($_POST["save_component_template"])) {
+ $save1["id"] = $_POST["graph_template_id"];
+ $save1["hash"] = get_hash_graph_template($_POST["graph_template_id"]);
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch
@@ -0,0 +1,20 @@
+Description: Unassigned CVE SQL injection vulnerability
+ reported via VN:JVN#78187936 / TN:JPCERT#98968540
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7718
+
+Index: cacti/settings.php
+===================================================================
+--- cacti.orig/settings.php
++++ cacti/settings.php
+@@ -58,6 +58,11 @@ case 'save':
+ default:
+ include("./include/top_header.php");
+
++ /* clean up tab string */
++ if (isset($_REQUEST['tab'])) {
++ $_REQUEST['tab'] = sanitize_search_string(get_request_var_request('tab'));
++ }
++
+ /* set the default settings category */
+ if (!isset($_GET["tab"])) {
+ /* there is no selected tab; select the first one */
Attachment:
signature.asc
Description: OpenPGP digital signature