[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: another squeeze cacti update?

Hi LTS maintainers,

On 05-01-16 20:55, Antoine Beaupré wrote:
> Cacti still shows up in the list of opened issues in squeeze... Are you
> going to take care of CVE-2015-8604 next?

Apart from CVE-2015-8604, which I have a (attached) patch ready for
upload to sid, I also consider the patch for CVE-2015-8377 incomplete
(where should this actually be reported, bts?). The vulnerable variable
is a 3D array and both runs of "each" should be checked. Unfortunately
the upstream bug tracker is down now, but I will update the patch there.
please find it attached as well (line numbers may not be for squeeze).

After I take care of wheezy and jessie debdiff's I can take care of this
in squeeze myself, but I don't mind if somebody beats me to it. But
please use the attached patches or discuss why they are not good enough.

Paul

Description: SQL injection vulnerability in the host_new_graphs_save function
 in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
 to execute arbitrary SQL commands via crafted serialized data in the
 selected_graphs_array parameter in a save action.
Author: Chris Lamb <lamby@debian.org> and Paul Gevers <elbrus@debian.org>
Bug: http://bugs.cacti.net/view.php?id=2655
Index: cacti/graphs_new.php
===================================================================
--- cacti.orig/graphs_new.php
+++ cacti/graphs_new.php
@@ -183,11 +183,17 @@ function host_new_graphs_save() {
 
 		while (list($form_id1, $form_array2) = each($form_array)) {
 			/* enumerate information from the arrays stored in post variables */
+			/* ================= input validation ================= */
+			input_validate_input_number($form_id1);
+			/* ==================================================== */
 			if ($form_type == "cg") {
 				$graph_template_id = $form_id1;
 			}elseif ($form_type == "sg") {
 				while (list($form_id2, $form_array3) = each($form_array2)) {
 					$snmp_index_array = $form_array3;
+					/* ================= input validation ================= */
+					input_validate_input_number($form_id2);
+					/* ==================================================== */
 
 					$snmp_query_array["snmp_query_id"] = $form_id1;
 					$snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1);

Description: SQL injection vulnerability in the host_new_graphs function in
 graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
 to execute arbitrary SQL commands via crafted serialized data in the
 selected_graphs_array parameter in a save action.
Author: Paul Gevers <elbrus@debian.org>
Bug: http://bugs.cacti.net/view.php?id=2652
Index: cacti/graphs_new.php
===================================================================
--- cacti.orig/graphs_new.php
+++ cacti/graphs_new.php
@@ -252,6 +252,9 @@ function host_new_graphs($host_id, $host
 
 	while (list($form_type, $form_array) = each($selected_graphs_array)) {
 		while (list($form_id1, $form_array2) = each($form_array)) {
+            /* ================= input validation ================= */
+            input_validate_input_number($form_id1);
+            /* ==================================================== */
 			if ($form_type == "cg") {
 				$graph_template_id = $form_id1;
 
@@ -260,6 +263,7 @@ function host_new_graphs($host_id, $host
 				while (list($form_id2, $form_array3) = each($form_array2)) {
 					/* ================= input validation ================= */
 					input_validate_input_number($snmp_query_id);
+					input_validate_input_number($form_id2);
 					/* ==================================================== */
 
 					$snmp_query_id = $form_id1;

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: