Hi,
the build 0.8.7g-1+squeeze9+deb6u11 on Squeeze LTS has the bug fixed -
because now it's broken!
Request the URL
http://example.com/cacti/graph.php?action=view&local_graph_id=3171&rra_id=all
And you'll get the error:
PHP Fatal error: Call to undefined function
input_validate_input_regex() in /usr/share/cacti/site/graph.php on line
31
This is no wonder because /usr/share/cacti/site/graph.php looks like:
<?php
/* set default action */
if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = "view"; }
if (!isset($_REQUEST["view_type"])) { $_REQUEST["view_type"] = ""; }
$guest_account = true;
/* ================= input validation ================= */
input_validate_input_regex(get_request_var_request("rra_id"),
"^([0-9]+|all)$");
input_validate_input_number(get_request_var_request("local_graph_id"));
input_validate_input_number(get_request_var_request("graph_end"));
input_validate_input_number(get_request_var_request("graph_start"));
input_validate_input_regex(get_request_var_request("view_type"),
"^([a-zA-Z0-9]+)$");
/* ==================================================== */
include("./include/auth.php");
include_once("./lib/rrd.php");
include_once("./lib/html_tree.php");
include_once("./include/top_graph_header.php");
[..]
There is no function 'input_validate_input_regex' defined not any
include done
before on line 31 input_validate_input_regex is used.
This is very dangerous because one could think moving the 4 lines
include block before
the first input_validate_input_ line *reopens* the sql injection!
Please fix this and test afterwards with the URL
http://example.com/cacti/graph.php?action=properties&local_graph_id=3363&rra_id=1
and benchmark(20000000%2csha1(1))--
&view_type=tree&graph_start=1449752140&graph_end=1449838540
