Please find attached three patches against the pkg-cacti git branch debian-lenny to fix this bug.
Feel free to use them. Paul
From 4c6b9f2dc8af687f288218575388619c9528c346 Mon Sep 17 00:00:00 2001 From: Paul Gevers <p...@climbing.nl> Date: Fri, 1 Jul 2011 20:30:53 +0200 Subject: [PATCH 1/3] Fix CVE-2010-1644 XSS issues in host.php and data_sources.php Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php. Closes: #624516 --- data_sources.php | 1 + host.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/data_sources.php b/data_sources.php index c4ee99f..f172f44 100644 --- a/data_sources.php +++ b/data_sources.php @@ -656,6 +656,7 @@ function ds_edit() { /* ================= input validation ================= */ input_validate_input_number(get_request_var("id")); + input_validate_input_number(get_request_var("host_id")); /* ==================================================== */ $use_data_template = true; diff --git a/host.php b/host.php index a82ddbf..045b661 100644 --- a/host.php +++ b/host.php @@ -146,8 +146,8 @@ function form_save() { if ($_POST["snmp_password"] != $_POST["snmp_password_confirm"]) { raise_message(4); }else{ - $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"], - $_POST["hostname"], $_POST["snmp_community"], $_POST["snmp_version"], + $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], htmlentities($_POST["description"]), + htmlentities(trim($_POST["hostname"])), $_POST["snmp_community"], $_POST["snmp_version"], $_POST["snmp_username"], $_POST["snmp_password"], $_POST["snmp_port"], $_POST["snmp_timeout"], (isset($_POST["disabled"]) ? $_POST["disabled"] : ""), -- 1.7.4.1
From 2ab2f016061c7dda48e3d149983a5237afca3df3 Mon Sep 17 00:00:00 2001 From: Paul Gevers <p...@climbing.nl> Date: Fri, 1 Jul 2011 20:58:53 +0200 Subject: [PATCH 2/3] Create debian patch for CVE-2010-1644 --- debian/patches/CVE-2010-1644.patch | 47 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 48 insertions(+), 0 deletions(-) create mode 100644 debian/patches/CVE-2010-1644.patch diff --git a/debian/patches/CVE-2010-1644.patch b/debian/patches/CVE-2010-1644.patch new file mode 100644 index 0000000..d9138f3 --- /dev/null +++ b/debian/patches/CVE-2010-1644.patch @@ -0,0 +1,47 @@ +Author: Paul Gevers <p...@climbing.nl> +Subject: [PATCH] Fix CVE-2010-1644 XSS issues in host.php and data_sources.php + +Multiple cross-site scripting (XSS) vulnerabilities in Cacti before +0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and +other products, allow remote attackers to inject arbitrary web script or +HTML via the (1) hostname or (2) description parameter to host.php, or +(3) the host_id parameter to data_sources.php. + +Origin: http://svn.cacti.net/viewvc?view=rev&revision=5901 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624516 +Last-Update: 2011-07-01 +--- + data_sources.php | 1 + + host.php | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/data_sources.php b/data_sources.php +index c4ee99f..f172f44 100644 +--- a/data_sources.php ++++ b/data_sources.php +@@ -656,6 +656,7 @@ function ds_edit() { + + /* ================= input validation ================= */ + input_validate_input_number(get_request_var("id")); ++ input_validate_input_number(get_request_var("host_id")); + /* ==================================================== */ + + $use_data_template = true; +diff --git a/host.php b/host.php +index a82ddbf..045b661 100644 +--- a/host.php ++++ b/host.php +@@ -146,8 +146,8 @@ function form_save() { + if ($_POST["snmp_password"] != $_POST["snmp_password_confirm"]) { + raise_message(4); + }else{ +- $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"], +- $_POST["hostname"], $_POST["snmp_community"], $_POST["snmp_version"], ++ $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], htmlentities($_POST["description"]), ++ htmlentities(trim($_POST["hostname"])), $_POST["snmp_community"], $_POST["snmp_version"], + $_POST["snmp_username"], $_POST["snmp_password"], + $_POST["snmp_port"], $_POST["snmp_timeout"], + (isset($_POST["disabled"]) ? $_POST["disabled"] : ""), +-- +1.7.4.1 + diff --git a/debian/patches/series b/debian/patches/series index f45e384..6c11efe 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ official_snmp_auth_none_notice.patch 08_CVE-2009-4032.patch official_sql_injection_template_export.patch CVE-2010-2092.patch +CVE-2010-1644.patch -- 1.7.4.1
From ccb5dde6b5ccf9a59ddad9e15c6d3a685d942172 Mon Sep 17 00:00:00 2001 From: Paul Gevers <p...@climbing.nl> Date: Fri, 1 Jul 2011 20:59:37 +0200 Subject: [PATCH 3/3] Prepare d/changelog for 0.8.7b-2.1+lenny4 --- debian/changelog | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/debian/changelog b/debian/changelog index ccc7475..c2df8bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cacti (0.8.7b-2.1+lenny4) stable-security; urgency=low + + * Patch for CVE-2010-1644: XSS issues in host.php and data_sources.php + Closes: #624516 + + -- Paul Gevers <p...@climbing.nl> Fri, 01 Jul 2011 20:36:06 +0200 + cacti (0.8.7b-2.1+lenny3) stable-security; urgency=low * Patch for CVE-2010-2092/MOPS-2010-023: SQL Injection Vulnerability -- 1.7.4.1
signature.asc
Description: OpenPGP digital signature