Bug#561338: CVE-2009-4032: multiple XSS issues

Wed, 16 Dec 2009 03:37:23 -0800 

Package: cacti
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.

CVE-2009-4032[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
| allow remote attackers to inject arbitrary web script or HTML via
| vectors related to (1) graph.php, (2) include/top_graph_header.php,
| (3) lib/html_form.php, and (4) lib/timespan_settings.php, as
| demonstrated by the (a) graph_end or (b) graph_start parameters to
| graph.php; (c) the date1 parameter in a tree action to graph_view.php;
| and the (d) page_refresh and (e) default_dual_pane_width parameters to
| graph_settings.php.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Uploaded NMU patch attached.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4032
    http://security-tracker.debian.org/tracker/CVE-2009-4032

diff -u cacti-0.8.7e/debian/changelog cacti-0.8.7e/debian/changelog
--- cacti-0.8.7e/debian/changelog
+++ cacti-0.8.7e/debian/changelog
@@ -1,3 +1,11 @@
+cacti (0.8.7e-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Fix several cross-site scriptings via different vectors
+    Fixes: CVE-2009-4032
+
+ -- Steffen Joeris <wh...@debian.org>  Wed, 16 Dec 2009 12:06:20 +0100
+
 cacti (0.8.7e-1) unstable; urgency=low
 
   * New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches/series cacti-0.8.7e/debian/patches/series
--- cacti-0.8.7e/debian/patches/series
+++ cacti-0.8.7e/debian/patches/series
@@ -7,0 +8 @@
+08_CVE-2009-4032.patch
only in patch2:
unchanged:
--- cacti-0.8.7e.orig/debian/patches/08_CVE-2009-4032.patch
+++ cacti-0.8.7e/debian/patches/08_CVE-2009-4032.patch
@@ -0,0 +1,101 @@
+--- cacti-0.8.7e/graph.php	2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/graph.php	2009-11-21 23:10:16.000000000 -0500
+@@ -35,6 +35,8 @@
+ /* ================= input validation ================= */
+ input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
+ input_validate_input_number(get_request_var("local_graph_id"));
++input_validate_input_number(get_request_var("graph_end"));
++input_validate_input_number(get_request_var("graph_start"));
+ input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
+ /* ==================================================== */
+ 
+--- cacti-0.8.7e/include/top_graph_header.php	2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/include/top_graph_header.php	2009-11-21 23:15:27.000000000 -0500
+@@ -58,7 +58,7 @@
+ 		if ($_SESSION["custom"]) {
+ 			print "<meta http-equiv=refresh content='99999'>\r\n";
+ 		}else{
+-			print "<meta http-equiv=refresh content='" . read_graph_config_option("page_refresh") . "'>\r\n";
++			print "<meta http-equiv=refresh content='" . htmlspecialchars(read_graph_config_option("page_refresh"),ENT_QUOTES) . "'>\r\n";
+ 		}
+ 	}
+ 	?>
+@@ -113,7 +113,7 @@
+ 	</tr>
+ 	<tr class="noprint">
+ 		<td bgcolor="#efefef" colspan="1" height="8" style="background-image: url(images/shadow_gray.gif); background-repeat: repeat-x; border-right: #aaaaaa 1px solid;">
+-			<img src="images/transparent_line.gif" width="<?php print read_graph_config_option("default_dual_pane_width");?>" height="2" border="0"><br>
++			<img src="images/transparent_line.gif" width="<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>" height="2" border="0"><br>
+ 		</td>
+ 		<td bgcolor="#ffffff" colspan="1" height="8" style="background-image: url(images/shadow.gif); background-repeat: repeat-x;">
+ 
+@@ -144,7 +144,7 @@
+ 
+ 	<tr>
+ 		<?php if ((read_graph_config_option("default_tree_view_mode") == "2") && (($_REQUEST["action"] == "tree") || ((isset($_REQUEST["view_type"]) ? $_REQUEST["view_type"] : "") == "tree"))) { ?>
+-		<td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print read_graph_config_option("default_dual_pane_width");?>' class='noprint'>
++		<td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;" bgcolor='#efefef' width='<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>' class='noprint'>
+ 			<table border=0 cellpadding=0 cellspacing=0><tr><td><font size=-2><a style="font-size:7pt;text-decoration:none;color:silver" href="http://www.treemenu.net/"; target=_blank></a></font></td></tr></table>
+ 			<?php grow_dhtml_trees(); ?>
+ 			<script type="text/javascript">initializeDocument();</script>
+--- cacti-0.8.7e/lib/timespan_settings.php	2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e/include/html/inc_timespan_settings.php	2009-11-21 23:15:49.000000000 -0500
+@@ -125,9 +125,9 @@
+ 	if (isset($_POST["date1"])) {
+ 		/* the dates have changed, therefore, I am now custom */
+ 		if (($_SESSION["sess_current_date1"] != $_POST["date1"]) || ($_SESSION["sess_current_date2"] != $_POST["date2"])) {
+-			$timespan["current_value_date1"] = $_POST["date1"];
++			$timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]);
+ 			$timespan["begin_now"] =strtotime($timespan["current_value_date1"]);
+-			$timespan["current_value_date2"] = $_POST["date2"];
++			$timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]);
+ 			$timespan["end_now"]=strtotime($timespan["current_value_date2"]);
+ 			$_SESSION["sess_current_timespan"] = GT_CUSTOM;
+ 			$_SESSION["custom"] = 1;
+@@ -135,8 +135,8 @@
+ 		}else {
+ 			/* the default button wasn't pushed */
+ 			if (!isset($_POST["button_clear_x"])) {
+-				$timespan["current_value_date1"] = $_POST["date1"];
+-				$timespan["current_value_date2"] = $_POST["date2"];
++				$timespan["current_value_date1"] = sanitize_search_string($_POST["date1"]);
++				$timespan["current_value_date2"] = sanitize_search_string($_POST["date2"]);
+ 				$timespan["begin_now"] = $_SESSION["sess_current_timespan_begin_now"];
+ 				$timespan["end_now"] = $_SESSION["sess_current_timespan_end_now"];
+ 
+--- ../old/cacti-0.8.7b/lib/html_form.php	2008-02-13 22:07:53.000000000 +0000
++++ cacti-0.8.7e/lib/html_form.php	2009-12-07 16:38:16.000000000 +0000
+@@ -241,13 +241,13 @@
+ 
+ 		if (sizeof($items) > 0) {
+ 		foreach ($items as $item) {
+-			print $item["name"] . "<br>";
++			print htmlspecialchars($item["name"],ENT_QUOTES) . "<br>";
+ 		}
+ 		}
+ 
+ 		break;
+ 	default:
+-		print "<em>" . $field_array["value"] . "</em>";
++		print "<em>" . htmlspecialchars($field_array["value"],ENT_QUOTES) . "</em>";
+ 
+ 		form_hidden_box($field_name, $field_array["value"], "");
+ 
+@@ -390,7 +390,7 @@
+ 		$form_previous_value = $form_default_value;
+ 	}
+ 
+-	print "<input type='hidden' id='$form_name' name='$form_name' value='$form_previous_value'>\n";
++	print "<input type='hidden' id='$form_name' name='$form_name' value='" . htmlspecialchars($form_previous_value, ENT_QUOTES) . "'>\n";
+ }
+ 
+ /* form_dropdown - draws a standard html dropdown box
+@@ -574,7 +574,7 @@
+ 			}
+ 		}
+ 
+-		print ">". $array_display[$id];
++		print ">". htmlspecialchars($array_display[$id],ENT_QUOTES);
+ 		print "</option>\n";
+ 	}
+

Reply via email to