Your message dated Wed, 16 Dec 2009 12:41:18 +0100
with message-id <[email protected]>
and subject line fixed in NMU
has caused the Debian Bug report #561338,
regarding CVE-2009-4032: multiple XSS issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
561338: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cacti
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4032[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
| allow remote attackers to inject arbitrary web script or HTML via
| vectors related to (1) graph.php, (2) include/top_graph_header.php,
| (3) lib/html_form.php, and (4) lib/timespan_settings.php, as
| demonstrated by the (a) graph_end or (b) graph_start parameters to
| graph.php; (c) the date1 parameter in a tree action to graph_view.php;
| and the (d) page_refresh and (e) default_dual_pane_width parameters to
| graph_settings.php.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Uploaded NMU patch attached.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4032
http://security-tracker.debian.org/tracker/CVE-2009-4032
diff -u cacti-0.8.7e/debian/changelog cacti-0.8.7e/debian/changelog
--- cacti-0.8.7e/debian/changelog
+++ cacti-0.8.7e/debian/changelog
@@ -1,3 +1,11 @@
+cacti (0.8.7e-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix several cross-site scriptings via different vectors
+ Fixes: CVE-2009-4032
+
+ -- Steffen Joeris <[email protected]> Wed, 16 Dec 2009 12:06:20 +0100
+
cacti (0.8.7e-1) unstable; urgency=low
* New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches/series cacti-0.8.7e/debian/patches/series
--- cacti-0.8.7e/debian/patches/series
+++ cacti-0.8.7e/debian/patches/series
@@ -7,0 +8 @@
+08_CVE-2009-4032.patch
only in patch2:
unchanged:
--- cacti-0.8.7e.orig/debian/patches/08_CVE-2009-4032.patch
+++ cacti-0.8.7e/debian/patches/08_CVE-2009-4032.patch
@@ -0,0 +1,101 @@
+--- cacti-0.8.7e/graph.php 2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/graph.php 2009-11-21 23:10:16.000000000 -0500
+@@ -35,6 +35,8 @@
+ /* ================= input validation ================= */
+ input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
+ input_validate_input_number(get_request_var("local_graph_id"));
++input_validate_input_number(get_request_var("graph_end"));
++input_validate_input_number(get_request_var("graph_start"));
+ input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
+ /* ==================================================== */
+
+--- cacti-0.8.7e/include/top_graph_header.php 2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/include/top_graph_header.php 2009-11-21 23:15:27.000000000 -0500
+@@ -58,7 +58,7 @@
+ if ($_SESSION["custom"]) {
+ print "<meta http-equiv=refresh content='99999'>\r\n";
+ }else{
+- print "<meta http-equiv=refresh content='" . read_graph_config_option("page_refresh") . "'>\r\n";
++ print "<meta http-equiv=refresh content='" . htmlspecialchars(read_graph_config_option("page_refresh"),ENT_QUOTES) . "'>\r\n";
+ }
+ }
+ ?>
+@@ -113,7 +113,7 @@
+ </tr>
+ <tr class="noprint">
+ <td bgcolor="#efefef" colspan="1" height="8" style="background-image: url(images/shadow_gray.gif); background-repeat: repeat-x; border-right: #aaaaaa 1px solid;">
+- <img src="images/transparent_line.gif" width="<?php print read_graph_config_option("default_dual_pane_width");?>" height="2" border="0"><br>
++ <img src="images/transparent_line.gif" width="<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>" height="2" border="0"><br>
+ </td>
+ <td bgcolor="#ffffff" colspan="1" height="8" style="background-image: url(images/shadow.gif); background-repeat: repeat-x;">
+
+@@ -144,7 +144,7 @@
+
+ <tr>
+ <?php if ((read_graph_config_option("default_tree_view_mode") == "2") && (($_REQUEST["action"] == "tree") || ((isset($_REQUEST["view_type"]) ? $_REQUEST["view_type"] : "") == "tree"))) { ?>
+- <td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print read_graph_config_option("default_dual_pane_width");?>' class='noprint'>
++ <td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>' class='noprint'>
+ <table border=0 cellpadding=0 cellspacing=0><tr><td><font size=-2><a style="font-size:7pt;text-decoration:none;color:silver" href="http://www.treemenu.net/"; target=_blank></a></font></td></tr></table>
+ <?php grow_dhtml_trees(); ?>
+ <script type="text/javascript">initializeDocument();</script>
+--- cacti-0.8.7e/lib/timespan_settings.php 2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/include/html/inc_timespan_settings.php 2009-11-21 23:15:49.000000000 -0500
+@@ -125,9 +125,9 @@
+ if (isset($_POST["date1"])) {
+ /* the dates have changed, therefore, I am now custom */
+ if (($_SESSION["sess_current_date1"] != $_POST["date1"]) || ($_SESSION["sess_current_date2"] != $_POST["date2"])) {
+- $timespan["current_value_date1"] = $_POST["date1"];
++ $timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]);
+ $timespan["begin_now"] =strtotime($timespan["current_value_date1"]);
+- $timespan["current_value_date2"] = $_POST["date2"];
++ $timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]);
+ $timespan["end_now"]=strtotime($timespan["current_value_date2"]);
+ $_SESSION["sess_current_timespan"] = GT_CUSTOM;
+ $_SESSION["custom"] = 1;
+@@ -135,8 +135,8 @@
+ }else {
+ /* the default button wasn't pushed */
+ if (!isset($_POST["button_clear_x"])) {
+- $timespan["current_value_date1"] = $_POST["date1"];
+- $timespan["current_value_date2"] = $_POST["date2"];
++ $timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]);
++ $timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]);
+ $timespan["begin_now"] = $_SESSION["sess_current_timespan_begin_now"];
+ $timespan["end_now"] = $_SESSION["sess_current_timespan_end_now"];
+
+--- ../old/cacti-0.8.7b/lib/html_form.php 2008-02-13 22:07:53.000000000 +0000
++++ cacti-0.8.7e/lib/html_form.php 2009-12-07 16:38:16.000000000 +0000
+@@ -241,13 +241,13 @@
+
+ if (sizeof($items) > 0) {
+ foreach ($items as $item) {
+- print $item["name"] . "<br>";
++ print htmlspecialchars($item["name"],ENT_QUOTES) . "<br>";
+ }
+ }
+
+ break;
+ default:
+- print "<em>" . $field_array["value"] . "</em>";
++ print "<em>" . htmlspecialchars($field_array["value"],ENT_QUOTES) . "</em>";
+
+ form_hidden_box($field_name, $field_array["value"], "");
+
+@@ -390,7 +390,7 @@
+ $form_previous_value = $form_default_value;
+ }
+
+- print "<input type='hidden' id='$form_name' name='$form_name' value='$form_previous_value'>\n";
++ print "<input type='hidden' id='$form_name' name='$form_name' value='" . htmlspecialchars($form_previous_value, ENT_QUOTES) . "'>\n";
+ }
+
+ /* form_dropdown - draws a standard html dropdown box
+@@ -574,7 +574,7 @@
+ }
+ }
+
+- print ">". $array_display[$id];
++ print ">". htmlspecialchars($array_display[$id],ENT_QUOTES);
+ print "</option>\n";
+ }
+
--- End Message ---
--- Begin Message ---
Version: 0.8.7e-1.1
--- End Message ---
