Hello community, here is the log from the commit of package cacti for openSUSE:Factory checked in at 2016-02-11 12:38:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cacti (Old) and /work/SRC/openSUSE:Factory/.cacti.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cacti" Changes: -------- --- /work/SRC/openSUSE:Factory/cacti/cacti.changes 2015-11-26 17:02:15.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cacti.new/cacti.changes 2016-02-11 12:38:09.000000000 +0100 @@ -1,0 +2,14 @@ +Tue Feb 9 19:57:17 UTC 2016 - [email protected] + +- Fix the following vulnerabilities: + * CVE-2015-8369: SQL injection in graph.php (boo#958863) + * CVE-2015-8604: SQL injection in graphs_new.php (boo#960678) + * CVE-2015-8377: SQL injection vulnerability in the + host_new_graphs_save function in graphs_new.php + (boo#958977) + * boo#965930: Authentication using web authentication as a user + not in the cacti database allows complete access +- adding CVE-2015-8369.patch, CVE-2015-8604-CVE-2015-8377.patch + authentication_bypass_boo965930.patch + +------------------------------------------------------------------- New: ---- CVE-2015-8369.patch CVE-2015-8604-CVE-2015-8377.patch authentication_bypass_boo965930.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cacti.spec ++++++ --- /var/tmp/diff_new_pack.j86NEw/_old 2016-02-11 12:38:10.000000000 +0100 +++ /var/tmp/diff_new_pack.j86NEw/_new 2016-02-11 12:38:10.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package cacti # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,9 @@ Source4: %{name}-httpd.conf.default # PATCH-FIX-OPENSUSE cacti-0.8.8-cacti-log-path.patch Patch0: cacti-log-path.patch +Patch2: CVE-2015-8369.patch +Patch3: CVE-2015-8604-CVE-2015-8377.patch +Patch4: authentication_bypass_boo965930.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -99,6 +102,9 @@ %prep %setup -q %patch0 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 #delete the *.orig files find . -type f -name "*\.orig" -exec rm {} \; ++++++ CVE-2015-8369.patch ++++++ Date: 2015-11-28 21:08:16 +0100 Subject: -bug:0002646: SQL injection in graph.php From: Andreas Stieger <[email protected]> Upstream: committed References: https://bugzilla.opensuse.org/show_bug.cgi?id=958863 http://bugs.cacti.net/view.php?id=2646 http://svn.cacti.net/viewvc?view=rev&revision=7767 ------------------------------------------------------------------------ r7767 | cigamit | 2015-11-28 21:08:16 +0100 (Svd., 28 Nov 2015) | 1 line Changed paths: M /cacti/tags/0.8.8g/docs/CHANGELOG M /cacti/tags/0.8.8g/graph.php M /cacti/tags/0.8.8g/include/top_graph_header.php -bug:0002646: SQL injection in graph.php ------------------------------------------------------------------------ Index: cacti-0.8.8f/graph.php =================================================================== --- cacti-0.8.8f.orig/graph.php +++ cacti-0.8.8f/graph.php @@ -32,43 +32,43 @@ include_once("./lib/rrd.php"); api_plugin_hook_function('graph'); -include_once("./lib/html_tree.php"); -include_once("./include/top_graph_header.php"); - /* ================= input validation ================= */ -input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); -input_validate_input_number(get_request_var("local_graph_id")); -input_validate_input_number(get_request_var("graph_end")); -input_validate_input_number(get_request_var("graph_start")); +input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); +input_validate_input_number(get_request_var_request("local_graph_id")); +input_validate_input_number(get_request_var_request("graph_end")); +input_validate_input_number(get_request_var_request("graph_start")); input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); /* ==================================================== */ -if (!isset($_GET['rra_id'])) { - $_GET['rra_id'] = 'all'; +include_once("./lib/html_tree.php"); +include_once("./include/top_graph_header.php"); + +if (!isset($_REQUEST['rra_id'])) { + $_REQUEST['rra_id'] = 'all'; } -if ($_GET["rra_id"] == "all") { +if ($_REQUEST["rra_id"] == "all") { $sql_where = " where id is not null"; }else{ - $sql_where = " where id=" . $_GET["rra_id"]; + $sql_where = " where id=" . $_REQUEST["rra_id"]; } /* make sure the graph requested exists (sanity) */ -if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) { +if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) { print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit; } /* take graph permissions into account here, if the user does not have permission give an "access denied" message */ if (read_config_option("auth_method") != 0) { - $access_denied = !(is_graph_allowed($_GET["local_graph_id"])); + $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"])); if ($access_denied == true) { print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit; } } -$graph_title = get_graph_title($_GET["local_graph_id"]); +$graph_title = get_graph_title($_REQUEST["local_graph_id"]); if ($_REQUEST["view_type"] == "tree") { print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>"; @@ -76,15 +76,15 @@ if ($_REQUEST["view_type"] == "tree") { print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>"; } -$rras = get_associated_rras($_GET["local_graph_id"]); +$rras = get_associated_rras($_REQUEST["local_graph_id"]); switch ($_REQUEST["action"]) { case 'view': api_plugin_hook_function('page_buttons', - array('lgid' => $_GET["local_graph_id"], + array('lgid' => $_REQUEST["local_graph_id"], 'leafid' => '',//$leaf_id, 'mode' => 'mrtg', - 'rraid' => $_GET["rra_id"]) + 'rraid' => $_REQUEST["rra_id"]) ); ?> <tr class='tableHeader'> @@ -105,13 +105,13 @@ case 'view': <table width='1' cellpadding='0'> <tr> <td> - <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> </td> <td valign='top' style='padding: 3px;' class='noprint'> - <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> - <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> + <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br> </td> </tr> @@ -143,7 +143,7 @@ case 'zoom': } /* fetch information for the current RRA */ - $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]); + $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]); /* define the time span, which decides which rra to use */ $timespan = -($rra["timespan"]); @@ -154,24 +154,24 @@ case 'zoom': FROM (data_template_data,data_template_rrd,graph_templates_item) WHERE graph_templates_item.task_item_id=data_template_rrd.id AND data_template_rrd.local_data_id=data_template_data.local_data_id - AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] . + AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] . " LIMIT 0,1"); $ds_step = empty($ds_step) ? 300 : $ds_step; $seconds_between_graph_updates = ($ds_step * $rra["steps"]); $now = time(); - if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) { - $graph_end = $_GET["graph_end"]; + if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) { + $graph_end = $_REQUEST["graph_end"]; }else{ $graph_end = $now - $seconds_between_graph_updates; } - if (isset($_GET["graph_start"])) { - if (($graph_end - $_GET["graph_start"])>$max_timespan) { + if (isset($_REQUEST["graph_start"])) { + if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) { $graph_start = $now - $max_timespan; }else { - $graph_start = $_GET["graph_start"]; + $graph_start = $_REQUEST["graph_start"]; } }else{ $graph_start = $now + $timespan; @@ -186,7 +186,7 @@ case 'zoom': graph_templates_graph.height, graph_templates_graph.width from graph_templates_graph - where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]); + where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]); $graph_height = $graph["height"]; $graph_width = $graph["width"]; @@ -214,12 +214,12 @@ case 'zoom': <table width='1' cellpadding='0'> <tr> <td> - <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> </td> <td valign='top' style='padding: 3px;' class='noprint'> - <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> </td> </tr> <tr> @@ -249,17 +249,17 @@ case 'properties': <table width='1' cellpadding='0'> <tr> <td> - <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> + <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> </td> <td valign='top' style='padding: 3px;'> - <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> </td> </tr> <tr> <td colspan='2' align='center'> - <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong> + <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong> </td> </tr> </table> Index: cacti-0.8.8f/include/top_graph_header.php =================================================================== --- cacti-0.8.8f.orig/include/top_graph_header.php +++ cacti-0.8.8f/include/top_graph_header.php @@ -146,12 +146,12 @@ $page_title = api_plugin_hook_function(' $graph_data_array["print_source"] = true; /* override: graph start time (unix time) */ - if (!empty($_GET["graph_start"])) { + if (!empty($_REQUEST["graph_start"])) { $graph_data_array["graph_start"] = get_request_var_request("graph_start"); } /* override: graph end time (unix time) */ - if (!empty($_GET["graph_end"])) { + if (!empty($_REQUEST["graph_end"])) { $graph_data_array["graph_end"] = get_request_var_request("graph_end"); } ++++++ CVE-2015-8604-CVE-2015-8377.patch ++++++ Date: 2016-01-17 20:31:52 +0100 From: Andreas Stieger <[email protected]> Upstream: committed References: https://bugzilla.suse.com/show_bug.cgi?id=958863 https://bugzilla.suse.com/show_bug.cgi?id=958977 http://svn.cacti.net/viewvc?view=rev&revision=7772 http://bugs.cacti.net/view.php?id=2652 http://bugs.cacti.net/view.php?id=2655 ------------------------------------------------------------------------ r7772 | cigamit | 2016-01-17 20:31:52 +0100 (Sdag, 17 Jan 2016) | 2 lines Changed paths: M /cacti/tags/0.8.8g/docs/CHANGELOG M /cacti/tags/0.8.8g/graphs_new.php -bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php -bug:0002655: CVE-2015-8377: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php ------------------------------------------------------------------------ Index: cacti-0.8.8f/graphs_new.php =================================================================== --- cacti-0.8.8f.orig/graphs_new.php +++ cacti-0.8.8f/graphs_new.php @@ -57,6 +57,11 @@ switch ($_REQUEST["action"]) { -------------------------- */ function form_save() { + /* ================= input validation ================= */ + input_validate_input_number(get_request_var_post("host_id")); + input_validate_input_number(get_request_var_post("host_template_id")); + /* ==================================================== */ + if (isset($_POST["save_component_graph"])) { /* summarize the 'create graph from host template/snmp index' stuff into an array */ while (list($var, $val) = each($_POST)) { @@ -183,12 +188,20 @@ function host_new_graphs_save() { while (list($form_id1, $form_array2) = each($form_array)) { /* enumerate information from the arrays stored in post variables */ + /* ================= input validation ================= */ + input_validate_input_number($form_id1); + /* ==================================================== */ + if ($form_type == "cg") { $graph_template_id = $form_id1; }elseif ($form_type == "sg") { while (list($form_id2, $form_array3) = each($form_array2)) { $snmp_index_array = $form_array3; + /* ================= input validation ================= */ + input_validate_input_number($form_id2); + /* ==================================================== */ + $snmp_query_array["snmp_query_id"] = $form_id1; $snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1); $snmp_query_array["snmp_query_graph_id"] = $form_id2; @@ -246,6 +259,10 @@ function host_new_graphs($host_id, $host while (list($form_type, $form_array) = each($selected_graphs_array)) { while (list($form_id1, $form_array2) = each($form_array)) { + /* ================= input validation ================= */ + input_validate_input_number($form_id1); + /* ==================================================== */ + if ($form_type == "cg") { $graph_template_id = $form_id1; @@ -254,6 +271,7 @@ function host_new_graphs($host_id, $host while (list($form_id2, $form_array3) = each($form_array2)) { /* ================= input validation ================= */ input_validate_input_number($snmp_query_id); + input_validate_input_number($form_id2); /* ==================================================== */ $snmp_query_id = $form_id1; ++++++ authentication_bypass_boo965930.patch ++++++ Date: 2016-01-17 20:23:42 +0100 Subject: -bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access From: Andreas Stieger <[email protected]> Upstream: committed References: https://bugzilla.opensuse.org/show_bug.cgi?id=965930 http://bugs.cacti.net/view.php?id=2656 http://svn.cacti.net/viewvc?view=rev&revision=7770 ------------------------------------------------------------------------ r7770 | cigamit | 2016-01-17 20:23:42 +0100 (Sdag, 17 Jan 2016) | 1 line Changed paths: M /cacti/tags/0.8.8g/auth_login.php M /cacti/tags/0.8.8g/docs/CHANGELOG -bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access ------------------------------------------------------------------------ Index: cacti-0.8.8f/auth_login.php =================================================================== --- cacti-0.8.8f.orig/auth_login.php +++ cacti-0.8.8f/auth_login.php @@ -86,6 +86,13 @@ if ($action == 'login') { /* Locate user in database */ $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2"); + if (!$user) { + cacti_log("AUTH LOGIN: User " . $username . " authenticated by web server but not found in Cacti database."); + $username = htmlspecialchars($username); + auth_display_custom_error_message("$username is not authorized to use Cacti."); + exit; + } + break; case "3": /* LDAP Auth */
