svn commit: r405325 - in head/net-mgmt/cacti: . files
Jason Unovitch
junovitch at FreeBSD.org
Wed Jan 6 01:33:25 UTC 2016
Author: junovitch
Date: Wed Jan 6 01:33:23 2016
New Revision: 405325
URL: https://svnweb.freebsd.org/changeset/ports/405325
Log:
net-mgmt/cacti: add patch for SQL injection in the graphs.php page
PR: 205920
Submitted by: rakuco
Approved by: Daniel Austin <freebsd-ports at dan.me.uk> (maintainer)
Obtained from: http://svn.cacti.net/viewvc?view=rev&revision=7767
Security: CVE-2015-8369
Security: https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html
MFH: 2016Q1
Added:
head/net-mgmt/cacti/files/patch-CVE-2015-8369 (contents, props changed)
Modified:
head/net-mgmt/cacti/Makefile
Modified: head/net-mgmt/cacti/Makefile
==============================================================================
--- head/net-mgmt/cacti/Makefile Wed Jan 6 01:16:11 2016 (r405324)
+++ head/net-mgmt/cacti/Makefile Wed Jan 6 01:33:23 2016 (r405325)
@@ -2,7 +2,7 @@
PORTNAME= cacti
PORTVERSION= 0.8.8f${PATCHLEVEL}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net-mgmt www
MASTER_SITES= http://www.cacti.net/downloads/ \
ftp://ftpmirror.uk/freebsd-ports/cacti/
Added: head/net-mgmt/cacti/files/patch-CVE-2015-8369
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/net-mgmt/cacti/files/patch-CVE-2015-8369 Wed Jan 6 01:33:23 2016 (r405325)
@@ -0,0 +1,218 @@
+------------------------------------------------------------------------
+r7767 | cigamit | 2015-11-28 20:08:16 +0000 (Sat, 28 Nov 2015) | 1 line
+Changed paths:
+ M /cacti/tags/0.8.8g/docs/CHANGELOG
+ M /cacti/tags/0.8.8g/graph.php
+ M /cacti/tags/0.8.8g/include/top_graph_header.php
+------------------------------------------------------------------------
+
+-bug:0002646: SQL injection in graph.php
+
+--- graph.php (revision 7766)
++++ graph.php (revision 7767)
+@@ -32,29 +32,29 @@
+
+ api_plugin_hook_function('graph');
+
+-include_once("./lib/html_tree.php");
+-include_once("./include/top_graph_header.php");
+-
+ /* ================= input validation ================= */
+-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
+-input_validate_input_number(get_request_var("local_graph_id"));
+-input_validate_input_number(get_request_var("graph_end"));
+-input_validate_input_number(get_request_var("graph_start"));
++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
++input_validate_input_number(get_request_var_request("local_graph_id"));
++input_validate_input_number(get_request_var_request("graph_end"));
++input_validate_input_number(get_request_var_request("graph_start"));
+ input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
+ /* ==================================================== */
+
+-if (!isset($_GET['rra_id'])) {
+- $_GET['rra_id'] = 'all';
++include_once("./lib/html_tree.php");
++include_once("./include/top_graph_header.php");
++
++if (!isset($_REQUEST['rra_id'])) {
++ $_REQUEST['rra_id'] = 'all';
+ }
+
+-if ($_GET["rra_id"] == "all") {
++if ($_REQUEST["rra_id"] == "all") {
+ $sql_where = " where id is not null";
+ }else{
+- $sql_where = " where id=" . $_GET["rra_id"];
++ $sql_where = " where id=" . $_REQUEST["rra_id"];
+ }
+
+ /* make sure the graph requested exists (sanity) */
+-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) {
++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) {
+ print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit;
+ }
+
+@@ -61,7 +61,7 @@
+ /* take graph permissions into account here, if the user does not have permission
+ give an "access denied" message */
+ if (read_config_option("auth_method") != 0) {
+- $access_denied = !(is_graph_allowed($_GET["local_graph_id"]));
++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));
+
+ if ($access_denied == true) {
+ print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit;
+@@ -68,7 +68,7 @@
+ }
+ }
+
+-$graph_title = get_graph_title($_GET["local_graph_id"]);
++$graph_title = get_graph_title($_REQUEST["local_graph_id"]);
+
+ if ($_REQUEST["view_type"] == "tree") {
+ print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>";
+@@ -76,15 +76,15 @@
+ print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>";
+ }
+
+-$rras = get_associated_rras($_GET["local_graph_id"]);
++$rras = get_associated_rras($_REQUEST["local_graph_id"]);
+
+ switch ($_REQUEST["action"]) {
+ case 'view':
+ api_plugin_hook_function('page_buttons',
+- array('lgid' => $_GET["local_graph_id"],
++ array('lgid' => $_REQUEST["local_graph_id"],
+ 'leafid' => '',//$leaf_id,
+ 'mode' => 'mrtg',
+- 'rraid' => $_GET["rra_id"])
++ 'rraid' => $_REQUEST["rra_id"])
+ );
+ ?>
+ <tr class='tableHeader'>
+@@ -105,13 +105,13 @@
+ <table width='1' cellpadding='0'>
+ <tr>
+ <td>
+- <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
++ <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
+ </td>
+ <td valign='top' style='padding: 3px;' class='noprint'>
+- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
+- <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
++ <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
+ <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br>
+ </td>
+ </tr>
+@@ -143,7 +143,7 @@
+ }
+
+ /* fetch information for the current RRA */
+- $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]);
++ $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]);
+
+ /* define the time span, which decides which rra to use */
+ $timespan = -($rra["timespan"]);
+@@ -154,7 +154,7 @@
+ FROM (data_template_data,data_template_rrd,graph_templates_item)
+ WHERE graph_templates_item.task_item_id=data_template_rrd.id
+ AND data_template_rrd.local_data_id=data_template_data.local_data_id
+- AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] .
++ AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] .
+ " LIMIT 0,1");
+ $ds_step = empty($ds_step) ? 300 : $ds_step;
+ $seconds_between_graph_updates = ($ds_step * $rra["steps"]);
+@@ -161,17 +161,17 @@
+
+ $now = time();
+
+- if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) {
+- $graph_end = $_GET["graph_end"];
++ if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) {
++ $graph_end = $_REQUEST["graph_end"];
+ }else{
+ $graph_end = $now - $seconds_between_graph_updates;
+ }
+
+- if (isset($_GET["graph_start"])) {
+- if (($graph_end - $_GET["graph_start"])>$max_timespan) {
++ if (isset($_REQUEST["graph_start"])) {
++ if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) {
+ $graph_start = $now - $max_timespan;
+ }else {
+- $graph_start = $_GET["graph_start"];
++ $graph_start = $_REQUEST["graph_start"];
+ }
+ }else{
+ $graph_start = $now + $timespan;
+@@ -186,7 +186,7 @@
+ graph_templates_graph.height,
+ graph_templates_graph.width
+ from graph_templates_graph
+- where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]);
++ where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]);
+
+ $graph_height = $graph["height"];
+ $graph_width = $graph["width"];
+@@ -214,12 +214,12 @@
+ <table width='1' cellpadding='0'>
+ <tr>
+ <td>
+- <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
++ <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
+ </td>
+ <td valign='top' style='padding: 3px;' class='noprint'>
+- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+- <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++ <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
+ </td>
+ </tr>
+ <tr>
+@@ -249,17 +249,17 @@
+ <table width='1' cellpadding='0'>
+ <tr>
+ <td>
+- <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
++ <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
+ </td>
+ <td valign='top' style='padding: 3px;'>
+- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
+- <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
++ <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan='2' align='center'>
+- <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong>
++ <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong>
+ </td>
+ </tr>
+ </table>
+--- include/top_graph_header.php (revision 7766)
++++ include/top_graph_header.php (revision 7767)
+@@ -146,12 +146,12 @@
+ $graph_data_array["print_source"] = true;
+
+ /* override: graph start time (unix time) */
+- if (!empty($_GET["graph_start"])) {
++ if (!empty($_REQUEST["graph_start"])) {
+ $graph_data_array["graph_start"] = get_request_var_request("graph_start");
+ }
+
+ /* override: graph end time (unix time) */
+- if (!empty($_GET["graph_end"])) {
++ if (!empty($_REQUEST["graph_end"])) {
+ $graph_data_array["graph_end"] = get_request_var_request("graph_end");
+ }
+
+
More information about the svn-ports-head
mailing list