Bug#624516: patches against git

Paul Gevers Fri, 01 Jul 2011 12:24:16 -0700

Please find attached three patches against the pkg-cacti git branch
debian-lenny to fix this bug.


Feel free to use them.

Paul

From 4c6b9f2dc8af687f288218575388619c9528c346 Mon Sep 17 00:00:00 2001
From: Paul Gevers <p...@climbing.nl>
Date: Fri, 1 Jul 2011 20:30:53 +0200
Subject: [PATCH 1/3] Fix CVE-2010-1644 XSS issues in host.php and data_sources.php

Multiple cross-site scripting (XSS) vulnerabilities in Cacti before
0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and
other products, allow remote attackers to inject arbitrary web script or
HTML via the (1) hostname or (2) description parameter to host.php, or
(3) the host_id parameter to data_sources.php.

Closes: #624516
---
 data_sources.php |    1 +
 host.php         |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/data_sources.php b/data_sources.php
index c4ee99f..f172f44 100644
--- a/data_sources.php
+++ b/data_sources.php
@@ -656,6 +656,7 @@ function ds_edit() {
 
 	/* ================= input validation ================= */
 	input_validate_input_number(get_request_var("id"));
+	input_validate_input_number(get_request_var("host_id"));
 	/* ==================================================== */
 
 	$use_data_template = true;
diff --git a/host.php b/host.php
index a82ddbf..045b661 100644
--- a/host.php
+++ b/host.php
@@ -146,8 +146,8 @@ function form_save() {
 		if ($_POST["snmp_password"] != $_POST["snmp_password_confirm"]) {
 			raise_message(4);
 		}else{
-			$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
-				$_POST["hostname"], $_POST["snmp_community"], $_POST["snmp_version"],
+			$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], htmlentities($_POST["description"]),
+				htmlentities(trim($_POST["hostname"])), $_POST["snmp_community"], $_POST["snmp_version"],
 				$_POST["snmp_username"], $_POST["snmp_password"],
 				$_POST["snmp_port"], $_POST["snmp_timeout"],
 				(isset($_POST["disabled"]) ? $_POST["disabled"] : ""),
-- 
1.7.4.1

From 2ab2f016061c7dda48e3d149983a5237afca3df3 Mon Sep 17 00:00:00 2001
From: Paul Gevers <p...@climbing.nl>
Date: Fri, 1 Jul 2011 20:58:53 +0200
Subject: [PATCH 2/3] Create debian patch for CVE-2010-1644

---
 debian/patches/CVE-2010-1644.patch |   47 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 48 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2010-1644.patch

diff --git a/debian/patches/CVE-2010-1644.patch b/debian/patches/CVE-2010-1644.patch
new file mode 100644
index 0000000..d9138f3
--- /dev/null
+++ b/debian/patches/CVE-2010-1644.patch
@@ -0,0 +1,47 @@
+Author: Paul Gevers <p...@climbing.nl>
+Subject: [PATCH] Fix CVE-2010-1644 XSS issues in host.php and data_sources.php
+
+Multiple cross-site scripting (XSS) vulnerabilities in Cacti before
+0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and
+other products, allow remote attackers to inject arbitrary web script or
+HTML via the (1) hostname or (2) description parameter to host.php, or
+(3) the host_id parameter to data_sources.php.
+
+Origin: http://svn.cacti.net/viewvc?view=rev&revision=5901
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624516
+Last-Update: 2011-07-01
+---
+ data_sources.php |    1 +
+ host.php         |    4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/data_sources.php b/data_sources.php
+index c4ee99f..f172f44 100644
+--- a/data_sources.php
++++ b/data_sources.php
+@@ -656,6 +656,7 @@ function ds_edit() {
+ 
+ 	/* ================= input validation ================= */
+ 	input_validate_input_number(get_request_var("id"));
++	input_validate_input_number(get_request_var("host_id"));
+ 	/* ==================================================== */
+ 
+ 	$use_data_template = true;
+diff --git a/host.php b/host.php
+index a82ddbf..045b661 100644
+--- a/host.php
++++ b/host.php
+@@ -146,8 +146,8 @@ function form_save() {
+ 		if ($_POST["snmp_password"] != $_POST["snmp_password_confirm"]) {
+ 			raise_message(4);
+ 		}else{
+-			$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
+-				$_POST["hostname"], $_POST["snmp_community"], $_POST["snmp_version"],
++			$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], htmlentities($_POST["description"]),
++				htmlentities(trim($_POST["hostname"])), $_POST["snmp_community"], $_POST["snmp_version"],
+ 				$_POST["snmp_username"], $_POST["snmp_password"],
+ 				$_POST["snmp_port"], $_POST["snmp_timeout"],
+ 				(isset($_POST["disabled"]) ? $_POST["disabled"] : ""),
+-- 
+1.7.4.1
+
diff --git a/debian/patches/series b/debian/patches/series
index f45e384..6c11efe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ official_snmp_auth_none_notice.patch
 08_CVE-2009-4032.patch
 official_sql_injection_template_export.patch
 CVE-2010-2092.patch
+CVE-2010-1644.patch
-- 
1.7.4.1

From ccb5dde6b5ccf9a59ddad9e15c6d3a685d942172 Mon Sep 17 00:00:00 2001
From: Paul Gevers <p...@climbing.nl>
Date: Fri, 1 Jul 2011 20:59:37 +0200
Subject: [PATCH 3/3] Prepare d/changelog for 0.8.7b-2.1+lenny4

---
 debian/changelog |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ccc7475..c2df8bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cacti (0.8.7b-2.1+lenny4) stable-security; urgency=low
+
+  * Patch for CVE-2010-1644: XSS issues in host.php and data_sources.php    
+    Closes: #624516
+
+ -- Paul Gevers <p...@climbing.nl>  Fri, 01 Jul 2011 20:36:06 +0200
+
 cacti (0.8.7b-2.1+lenny3) stable-security; urgency=low
 
   * Patch for CVE-2010-2092/MOPS-2010-023: SQL Injection Vulnerability
-- 
1.7.4.1

signature.asc
Description: OpenPGP digital signature

Bug#624516: patches against git

Reply via email to