if i rightly understand the multiple_vulnerabilities-0.8.7a.patch, it checks with substr_count() if PHP_SELF is contained some way in SCRIPT_FILENAME, that is valid for every apache configuration, but require a vanilla tree of cacti application
in debian we have an addictional site/ directory, so this check will fail basename()ing $_SERVER["PHP_SELF"] will produce a still valid check against filesystem, but relax this check: substr_count( $_SERVER["SCRIPT_FILENAME"], basename($_SERVER["PHP_SELF"]) ) HTH, -- Alessandro Ogier gpg --keyserver pgp.mit.edu --recv-keys EEBB4D0D
diff -ruBbd cacti-0.8.7a/auth_login.php cacti-0.8.7a-patched/auth_login.php --- cacti-0.8.7a/auth_login.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/auth_login.php 2008-02-11 20:01:10.000000000 -0500 @@ -51,6 +51,8 @@ } } +$username = sanitize_search_string($username); + /* process login */ $copy_user = false; $user_auth = false; diff -ruBbd cacti-0.8.7a/graph.php cacti-0.8.7a-patched/graph.php --- cacti-0.8.7a/graph.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/graph.php 2008-02-11 20:01:10.000000000 -0500 @@ -33,10 +33,15 @@ include("./include/top_graph_header.php"); /* ================= input validation ================= */ -input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); +input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); input_validate_input_number(get_request_var("local_graph_id")); +input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); /* ==================================================== */ +if (!isset($_GET['rra_id'])) { + $_GET['rra_id'] = 'all'; +} + if ($_GET["rra_id"] == "all") { $sql_where = " where id is not null"; }else{ diff -ruBbd cacti-0.8.7a/graph_view.php cacti-0.8.7a-patched/graph_view.php --- cacti-0.8.7a/graph_view.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/graph_view.php 2008-02-11 20:01:10.000000000 -0500 @@ -34,6 +34,9 @@ input_validate_input_number(get_request_var("tree_id")); input_validate_input_number(get_request_var("leaf_id")); input_validate_input_number(get_request_var("rra_id")); +input_validate_input_regex(get_request_var_request('graph_list'), "^([\,0-9]+)$"); +input_validate_input_regex(get_request_var_request('graph_add'), "^([\,0-9]+)$"); +input_validate_input_regex(get_request_var_request('graph_remove'), "^([\,0-9]+)$"); /* ==================================================== */ if (isset($_GET["hide"])) { @@ -417,7 +420,7 @@ </td> <td width="1"> <select name="host_id" onChange="applyGraphListFilterChange(document.form_graph_list)"> - <option value="0"<?php print $_REQUEST["filter"];?><?php if ($_REQUEST["host_id"] == "0") {?> selected<?php }?>>Any</option> + <option value="0"<?php if ($_REQUEST["host_id"] == "0") {?> selected<?php }?>>Any</option> <?php if (read_config_option("auth_method") != 0) { /* get policy information for the sql where clause */ diff -ruBbd cacti-0.8.7a/include/global.php cacti-0.8.7a-patched/include/global.php --- cacti-0.8.7a/include/global.php 2007-11-17 13:11:52.000000000 -0500 +++ cacti-0.8.7a-patched/include/global.php 2008-02-11 20:01:26.000000000 -0500 @@ -107,6 +107,16 @@ $colors["form_alternate2"] = "E5E5E5"; if ((!in_array(basename($_SERVER["PHP_SELF"]), $no_http_header_files, true)) && ($_SERVER["PHP_SELF"] != "")) { + /* Sanity Check on "Corrupt" PHP_SELF */ + if ((!is_file($_SERVER["PHP_SELF"])) && (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"]))) { + if (!is_file($_SERVER["DOCUMENT_ROOT"] . $_SERVER["PHP_SELF"])) { + if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], basename($_SERVER["PHP_SELF"]))))) { + echo "\nInvalid PHP_SELF Path\n"; + exit; + } + } + } + /* we don't want these pages cached */ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); diff -ruBbd cacti-0.8.7a/lib/api_tree.php cacti-0.8.7a-patched/lib/api_tree.php --- cacti-0.8.7a/lib/api_tree.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/lib/api_tree.php 2008-02-11 20:01:53.000000000 -0500 @@ -26,6 +26,9 @@ $host_id, $host_grouping_type, $sort_children_type, $propagate_changes) { global $config; + input_validate_input_number($tree_id); + input_validate_input_number($parent_tree_item_id); + include_once($config["library_path"] . "/tree.php"); $parent_order_key = db_fetch_cell("select order_key from graph_tree_items where id=$parent_tree_item_id"); diff -ruBbd cacti-0.8.7a/lib/functions.php cacti-0.8.7a-patched/lib/functions.php --- cacti-0.8.7a/lib/functions.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/lib/functions.php 2008-02-11 20:01:53.000000000 -0500 @@ -1566,6 +1622,9 @@ ); $current_page = basename($_SERVER["PHP_SELF"]); + + input_validate_input_regex(get_request_var_request("action"), "^([a-zA-Z0-9_-]+)$"); + $current_action = (isset($_REQUEST["action"]) ? $_REQUEST["action"] : ""); /* find the current page in the big array */ @@ -1856,8 +1915,8 @@ @arg $string - the original raw search string @returns - the sanitized search string */ function sanitize_search_string($string) { - static $drop_char_match = array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '~', '+', '[', ']', '{', '}', '#', ';', '!'); - static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' '); + static $drop_char_match = array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '~', '+', '[', ']', '{', '}', '#', ';', '!', '='); + static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' '); /* Replace line endings by a space */ $string = preg_replace('/[\n\r]/is', ' ', $string); diff -ruBbd cacti-0.8.7a/lib/html_utility.php cacti-0.8.7a-patched/lib/html_utility.php --- cacti-0.8.7a/lib/html_utility.php 2007-11-17 13:11:52.000000000 -0500 +++ cacti-0.8.7a-patched/lib/html_utility.php 2008-02-11 20:01:53.000000000 -0500 @@ -158,13 +158,15 @@ @arg $default - the value to return if the specified name does not exist in the $_GET array @returns - the value of the request variable */ -function get_request_var($name, $default = "") -{ - if (isset($_GET[$name])) - { +function get_request_var($name, $default = "") { + if (isset($_GET[$name])) { + if (isset($_POST[$name])) { + unset($_POST[$name]); + $_REQUEST[$name] = $_GET[$name]; + } + return $_GET[$name]; - } else - { + }else{ return $default; } } @@ -176,13 +178,15 @@ @arg $default - the value to return if the specified name does not exist in the $_POST array @returns - the value of the request variable */ -function get_request_var_post($name, $default = "") -{ - if (isset($_POST[$name])) - { +function get_request_var_post($name, $default = "") { + if (isset($_POST[$name])) { + if (isset($_GET[$name])) { + unset($_GET[$name]); + $_REQUEST[$name] = $_POST[$name]; + } + return $_POST[$name]; - } else - { + }else{ return $default; } } diff -ruBbd cacti-0.8.7a/tree.php cacti-0.8.7a-patched/tree.php --- cacti-0.8.7a/tree.php 2007-11-17 13:11:51.000000000 -0500 +++ cacti-0.8.7a-patched/tree.php 2008-02-11 20:01:10.000000000 -0500 @@ -27,6 +27,11 @@ include_once('./lib/tree.php'); include_once('./lib/html_tree.php'); +input_validate_input_number(get_request_var('tree_id')); +input_validate_input_number(get_request_var('leaf_id')); +input_validate_input_number(get_request_var_post('graph_tree_id')); +input_validate_input_number(get_request_var_post('parent_item_id')); + /* set default action */ if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }