Package: cacti Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for cacti.
CVE-2009-4032[0]: | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e | allow remote attackers to inject arbitrary web script or HTML via | vectors related to (1) graph.php, (2) include/top_graph_header.php, | (3) lib/html_form.php, and (4) lib/timespan_settings.php, as | demonstrated by the (a) graph_end or (b) graph_start parameters to | graph.php; (c) the date1 parameter in a tree action to graph_view.php; | and the (d) page_refresh and (e) default_dual_pane_width parameters to | graph_settings.php. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Uploaded NMU patch attached. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4032 http://security-tracker.debian.org/tracker/CVE-2009-4032
diff -u cacti-0.8.7e/debian/changelog cacti-0.8.7e/debian/changelog --- cacti-0.8.7e/debian/changelog +++ cacti-0.8.7e/debian/changelog @@ -1,3 +1,11 @@ +cacti (0.8.7e-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix several cross-site scriptings via different vectors + Fixes: CVE-2009-4032 + + -- Steffen Joeris <wh...@debian.org> Wed, 16 Dec 2009 12:06:20 +0100 + cacti (0.8.7e-1) unstable; urgency=low * New upstream release (Closes: #541490). diff -u cacti-0.8.7e/debian/patches/series cacti-0.8.7e/debian/patches/series --- cacti-0.8.7e/debian/patches/series +++ cacti-0.8.7e/debian/patches/series @@ -7,0 +8 @@ +08_CVE-2009-4032.patch only in patch2: unchanged: --- cacti-0.8.7e.orig/debian/patches/08_CVE-2009-4032.patch +++ cacti-0.8.7e/debian/patches/08_CVE-2009-4032.patch @@ -0,0 +1,101 @@ +--- cacti-0.8.7e/graph.php 2009-06-28 12:07:11.000000000 -0400 ++++ cacti-0.8.7e/graph.php 2009-11-21 23:10:16.000000000 -0500 +@@ -35,6 +35,8 @@ + /* ================= input validation ================= */ + input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); + input_validate_input_number(get_request_var("local_graph_id")); ++input_validate_input_number(get_request_var("graph_end")); ++input_validate_input_number(get_request_var("graph_start")); + input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); + /* ==================================================== */ + +--- cacti-0.8.7e/include/top_graph_header.php 2009-06-28 12:07:11.000000000 -0400 ++++ cacti-0.8.7e/include/top_graph_header.php 2009-11-21 23:15:27.000000000 -0500 +@@ -58,7 +58,7 @@ + if ($_SESSION["custom"]) { + print "<meta http-equiv=refresh content='99999'>\r\n"; + }else{ +- print "<meta http-equiv=refresh content='" . read_graph_config_option("page_refresh") . "'>\r\n"; ++ print "<meta http-equiv=refresh content='" . htmlspecialchars(read_graph_config_option("page_refresh"),ENT_QUOTES) . "'>\r\n"; + } + } + ?> +@@ -113,7 +113,7 @@ + </tr> + <tr class="noprint"> + <td bgcolor="#efefef" colspan="1" height="8" style="background-image: url(images/shadow_gray.gif); background-repeat: repeat-x; border-right: #aaaaaa 1px solid;"> +- <img src="images/transparent_line.gif" width="<?php print read_graph_config_option("default_dual_pane_width");?>" height="2" border="0"><br> ++ <img src="images/transparent_line.gif" width="<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>" height="2" border="0"><br> + </td> + <td bgcolor="#ffffff" colspan="1" height="8" style="background-image: url(images/shadow.gif); background-repeat: repeat-x;"> + +@@ -144,7 +144,7 @@ + + <tr> + <?php if ((read_graph_config_option("default_tree_view_mode") == "2") && (($_REQUEST["action"] == "tree") || ((isset($_REQUEST["view_type"]) ? $_REQUEST["view_type"] : "") == "tree"))) { ?> +- <td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print read_graph_config_option("default_dual_pane_width");?>' class='noprint'> ++ <td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>' class='noprint'> + <table border=0 cellpadding=0 cellspacing=0><tr><td><font size=-2><a style="font-size:7pt;text-decoration:none;color:silver" href="http://www.treemenu.net/" target=_blank></a></font></td></tr></table> + <?php grow_dhtml_trees(); ?> + <script type="text/javascript">initializeDocument();</script> +--- cacti-0.8.7e/lib/timespan_settings.php 2009-06-28 12:07:11.000000000 -0400 ++++ cacti-0.8.7e/include/html/inc_timespan_settings.php 2009-11-21 23:15:49.000000000 -0500 +@@ -125,9 +125,9 @@ + if (isset($_POST["date1"])) { + /* the dates have changed, therefore, I am now custom */ + if (($_SESSION["sess_current_date1"] != $_POST["date1"]) || ($_SESSION["sess_current_date2"] != $_POST["date2"])) { +- $timespan["current_value_date1"] = $_POST["date1"]; ++ $timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]); + $timespan["begin_now"] =strtotime($timespan["current_value_date1"]); +- $timespan["current_value_date2"] = $_POST["date2"]; ++ $timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]); + $timespan["end_now"]=strtotime($timespan["current_value_date2"]); + $_SESSION["sess_current_timespan"] = GT_CUSTOM; + $_SESSION["custom"] = 1; +@@ -135,8 +135,8 @@ + }else { + /* the default button wasn't pushed */ + if (!isset($_POST["button_clear_x"])) { +- $timespan["current_value_date1"] = $_POST["date1"]; +- $timespan["current_value_date2"] = $_POST["date2"]; ++ $timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]); ++ $timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]); + $timespan["begin_now"] = $_SESSION["sess_current_timespan_begin_now"]; + $timespan["end_now"] = $_SESSION["sess_current_timespan_end_now"]; + +--- ../old/cacti-0.8.7b/lib/html_form.php 2008-02-13 22:07:53.000000000 +0000 ++++ cacti-0.8.7e/lib/html_form.php 2009-12-07 16:38:16.000000000 +0000 +@@ -241,13 +241,13 @@ + + if (sizeof($items) > 0) { + foreach ($items as $item) { +- print $item["name"] . "<br>"; ++ print htmlspecialchars($item["name"],ENT_QUOTES) . "<br>"; + } + } + + break; + default: +- print "<em>" . $field_array["value"] . "</em>"; ++ print "<em>" . htmlspecialchars($field_array["value"],ENT_QUOTES) . "</em>"; + + form_hidden_box($field_name, $field_array["value"], ""); + +@@ -390,7 +390,7 @@ + $form_previous_value = $form_default_value; + } + +- print "<input type='hidden' id='$form_name' name='$form_name' value='$form_previous_value'>\n"; ++ print "<input type='hidden' id='$form_name' name='$form_name' value='" . htmlspecialchars($form_previous_value, ENT_QUOTES) . "'>\n"; + } + + /* form_dropdown - draws a standard html dropdown box +@@ -574,7 +574,7 @@ + } + } + +- print ">". $array_display[$id]; ++ print ">". htmlspecialchars($array_display[$id],ENT_QUOTES); + print "</option>\n"; + } +