diff options
author | Jason Unovitch <junovitch@FreeBSD.org> | 2016-01-06 01:33:23 +0000 |
---|---|---|
committer | Jason Unovitch <junovitch@FreeBSD.org> | 2016-01-06 01:33:23 +0000 |
commit | eabf81ef766b720d353cf0f233dd71aa926f4cd1 (patch) | |
tree | f9a5568fadaa5679861e4c29478e3e4e17c6f6ce /net-mgmt/cacti | |
parent | 20dc1660d43d25cec8a74500d5d7a4343376dd9d (diff) | |
download | ports-eabf81ef766b720d353cf0f233dd71aa926f4cd1.tar.gz ports-eabf81ef766b720d353cf0f233dd71aa926f4cd1.zip |
net-mgmt/cacti: add patch for SQL injection in the graphs.php page
PR: 205920
Submitted by: rakuco
Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
Obtained from: http://svn.cacti.net/viewvc?view=rev&revision=7767
Security: CVE-2015-8369
Security: https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html
MFH: 2016Q1
Notes
Notes:
svn path=/head/; revision=405325
Diffstat (limited to 'net-mgmt/cacti')
-rw-r--r-- | net-mgmt/cacti/Makefile | 2 | ||||
-rw-r--r-- | net-mgmt/cacti/files/patch-CVE-2015-8369 | 218 |
2 files changed, 219 insertions, 1 deletions
diff --git a/net-mgmt/cacti/Makefile b/net-mgmt/cacti/Makefile index 7094ace88b51..5e8317d02139 100644 --- a/net-mgmt/cacti/Makefile +++ b/net-mgmt/cacti/Makefile @@ -2,7 +2,7 @@ PORTNAME= cacti PORTVERSION= 0.8.8f${PATCHLEVEL} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net-mgmt www MASTER_SITES= http://www.cacti.net/downloads/ \ ftp://ftpmirror.uk/freebsd-ports/cacti/ diff --git a/net-mgmt/cacti/files/patch-CVE-2015-8369 b/net-mgmt/cacti/files/patch-CVE-2015-8369 new file mode 100644 index 000000000000..97d9b6761d4b --- /dev/null +++ b/net-mgmt/cacti/files/patch-CVE-2015-8369 @@ -0,0 +1,218 @@ +------------------------------------------------------------------------ +r7767 | cigamit | 2015-11-28 20:08:16 +0000 (Sat, 28 Nov 2015) | 1 line +Changed paths: + M /cacti/tags/0.8.8g/docs/CHANGELOG + M /cacti/tags/0.8.8g/graph.php + M /cacti/tags/0.8.8g/include/top_graph_header.php +------------------------------------------------------------------------ + +-bug:0002646: SQL injection in graph.php + +--- graph.php (revision 7766) ++++ graph.php (revision 7767) +@@ -32,29 +32,29 @@ + + api_plugin_hook_function('graph'); + +-include_once("./lib/html_tree.php"); +-include_once("./include/top_graph_header.php"); +- + /* ================= input validation ================= */ +-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); +-input_validate_input_number(get_request_var("local_graph_id")); +-input_validate_input_number(get_request_var("graph_end")); +-input_validate_input_number(get_request_var("graph_start")); ++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); ++input_validate_input_number(get_request_var_request("local_graph_id")); ++input_validate_input_number(get_request_var_request("graph_end")); ++input_validate_input_number(get_request_var_request("graph_start")); + input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); + /* ==================================================== */ + +-if (!isset($_GET['rra_id'])) { +- $_GET['rra_id'] = 'all'; ++include_once("./lib/html_tree.php"); ++include_once("./include/top_graph_header.php"); ++ ++if (!isset($_REQUEST['rra_id'])) { ++ $_REQUEST['rra_id'] = 'all'; + } + +-if ($_GET["rra_id"] == "all") { ++if ($_REQUEST["rra_id"] == "all") { + $sql_where = " where id is not null"; + }else{ +- $sql_where = " where id=" . $_GET["rra_id"]; ++ $sql_where = " where id=" . $_REQUEST["rra_id"]; + } + + /* make sure the graph requested exists (sanity) */ +-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) { ++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) { + print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit; + } + +@@ -61,7 +61,7 @@ + /* take graph permissions into account here, if the user does not have permission + give an "access denied" message */ + if (read_config_option("auth_method") != 0) { +- $access_denied = !(is_graph_allowed($_GET["local_graph_id"])); ++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"])); + + if ($access_denied == true) { + print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit; +@@ -68,7 +68,7 @@ + } + } + +-$graph_title = get_graph_title($_GET["local_graph_id"]); ++$graph_title = get_graph_title($_REQUEST["local_graph_id"]); + + if ($_REQUEST["view_type"] == "tree") { + print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>"; +@@ -76,15 +76,15 @@ + print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>"; + } + +-$rras = get_associated_rras($_GET["local_graph_id"]); ++$rras = get_associated_rras($_REQUEST["local_graph_id"]); + + switch ($_REQUEST["action"]) { + case 'view': + api_plugin_hook_function('page_buttons', +- array('lgid' => $_GET["local_graph_id"], ++ array('lgid' => $_REQUEST["local_graph_id"], + 'leafid' => '',//$leaf_id, + 'mode' => 'mrtg', +- 'rraid' => $_GET["rra_id"]) ++ 'rraid' => $_REQUEST["rra_id"]) + ); + ?> + <tr class='tableHeader'> +@@ -105,13 +105,13 @@ + <table width='1' cellpadding='0'> + <tr> + <td> +- <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> ++ <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + </td> + <td valign='top' style='padding: 3px;' class='noprint'> +- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> +- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> +- <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> ++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> ++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br> + </td> + </tr> +@@ -143,7 +143,7 @@ + } + + /* fetch information for the current RRA */ +- $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]); ++ $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]); + + /* define the time span, which decides which rra to use */ + $timespan = -($rra["timespan"]); +@@ -154,7 +154,7 @@ + FROM (data_template_data,data_template_rrd,graph_templates_item) + WHERE graph_templates_item.task_item_id=data_template_rrd.id + AND data_template_rrd.local_data_id=data_template_data.local_data_id +- AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] . ++ AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] . + " LIMIT 0,1"); + $ds_step = empty($ds_step) ? 300 : $ds_step; + $seconds_between_graph_updates = ($ds_step * $rra["steps"]); +@@ -161,17 +161,17 @@ + + $now = time(); + +- if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) { +- $graph_end = $_GET["graph_end"]; ++ if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) { ++ $graph_end = $_REQUEST["graph_end"]; + }else{ + $graph_end = $now - $seconds_between_graph_updates; + } + +- if (isset($_GET["graph_start"])) { +- if (($graph_end - $_GET["graph_start"])>$max_timespan) { ++ if (isset($_REQUEST["graph_start"])) { ++ if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) { + $graph_start = $now - $max_timespan; + }else { +- $graph_start = $_GET["graph_start"]; ++ $graph_start = $_REQUEST["graph_start"]; + } + }else{ + $graph_start = $now + $timespan; +@@ -186,7 +186,7 @@ + graph_templates_graph.height, + graph_templates_graph.width + from graph_templates_graph +- where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]); ++ where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]); + + $graph_height = $graph["height"]; + $graph_width = $graph["width"]; +@@ -214,12 +214,12 @@ + <table width='1' cellpadding='0'> + <tr> + <td> +- <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> ++ <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + </td> + <td valign='top' style='padding: 3px;' class='noprint'> +- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> +- <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> ++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + </td> + </tr> + <tr> +@@ -249,17 +249,17 @@ + <table width='1' cellpadding='0'> + <tr> + <td> +- <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> ++ <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> + </td> + <td valign='top' style='padding: 3px;'> +- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> +- <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> ++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + </td> + </tr> + <tr> + <td colspan='2' align='center'> +- <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong> ++ <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong> + </td> + </tr> + </table> +--- include/top_graph_header.php (revision 7766) ++++ include/top_graph_header.php (revision 7767) +@@ -146,12 +146,12 @@ + $graph_data_array["print_source"] = true; + + /* override: graph start time (unix time) */ +- if (!empty($_GET["graph_start"])) { ++ if (!empty($_REQUEST["graph_start"])) { + $graph_data_array["graph_start"] = get_request_var_request("graph_start"); + } + + /* override: graph end time (unix time) */ +- if (!empty($_GET["graph_end"])) { ++ if (!empty($_REQUEST["graph_end"])) { + $graph_data_array["graph_end"] = get_request_var_request("graph_end"); + } + + |