Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.2:Ports
cacti
CVE-2015-8369.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2015-8369.patch of Package cacti
Date: 2015-11-28 21:08:16 +0100 Subject: -bug:0002646: SQL injection in graph.php From: Andreas Stieger <astieger@suse.com> Upstream: committed References: https://bugzilla.opensuse.org/show_bug.cgi?id=958863 http://bugs.cacti.net/view.php?id=2646 http://svn.cacti.net/viewvc?view=rev&revision=7767 ------------------------------------------------------------------------ r7767 | cigamit | 2015-11-28 21:08:16 +0100 (Svd., 28 Nov 2015) | 1 line Changed paths: M /cacti/tags/0.8.8g/docs/CHANGELOG M /cacti/tags/0.8.8g/graph.php M /cacti/tags/0.8.8g/include/top_graph_header.php -bug:0002646: SQL injection in graph.php ------------------------------------------------------------------------ Index: cacti-0.8.8f/graph.php =================================================================== --- cacti-0.8.8f.orig/graph.php +++ cacti-0.8.8f/graph.php @@ -32,43 +32,43 @@ include_once("./lib/rrd.php"); api_plugin_hook_function('graph'); -include_once("./lib/html_tree.php"); -include_once("./include/top_graph_header.php"); - /* ================= input validation ================= */ -input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); -input_validate_input_number(get_request_var("local_graph_id")); -input_validate_input_number(get_request_var("graph_end")); -input_validate_input_number(get_request_var("graph_start")); +input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); +input_validate_input_number(get_request_var_request("local_graph_id")); +input_validate_input_number(get_request_var_request("graph_end")); +input_validate_input_number(get_request_var_request("graph_start")); input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); /* ==================================================== */ -if (!isset($_GET['rra_id'])) { - $_GET['rra_id'] = 'all'; +include_once("./lib/html_tree.php"); +include_once("./include/top_graph_header.php"); + +if (!isset($_REQUEST['rra_id'])) { + $_REQUEST['rra_id'] = 'all'; } -if ($_GET["rra_id"] == "all") { +if ($_REQUEST["rra_id"] == "all") { $sql_where = " where id is not null"; }else{ - $sql_where = " where id=" . $_GET["rra_id"]; + $sql_where = " where id=" . $_REQUEST["rra_id"]; } /* make sure the graph requested exists (sanity) */ -if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) { +if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) { print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit; } /* take graph permissions into account here, if the user does not have permission give an "access denied" message */ if (read_config_option("auth_method") != 0) { - $access_denied = !(is_graph_allowed($_GET["local_graph_id"])); + $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"])); if ($access_denied == true) { print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit; } } -$graph_title = get_graph_title($_GET["local_graph_id"]); +$graph_title = get_graph_title($_REQUEST["local_graph_id"]); if ($_REQUEST["view_type"] == "tree") { print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>"; @@ -76,15 +76,15 @@ if ($_REQUEST["view_type"] == "tree") { print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>"; } -$rras = get_associated_rras($_GET["local_graph_id"]); +$rras = get_associated_rras($_REQUEST["local_graph_id"]); switch ($_REQUEST["action"]) { case 'view': api_plugin_hook_function('page_buttons', - array('lgid' => $_GET["local_graph_id"], + array('lgid' => $_REQUEST["local_graph_id"], 'leafid' => '',//$leaf_id, 'mode' => 'mrtg', - 'rraid' => $_GET["rra_id"]) + 'rraid' => $_REQUEST["rra_id"]) ); ?> <tr class='tableHeader'> @@ -105,13 +105,13 @@ case 'view': <table width='1' cellpadding='0'> <tr> <td> - <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> </td> <td valign='top' style='padding: 3px;' class='noprint'> - <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> - <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> + <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?> <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br> </td> </tr> @@ -143,7 +143,7 @@ case 'zoom': } /* fetch information for the current RRA */ - $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]); + $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]); /* define the time span, which decides which rra to use */ $timespan = -($rra["timespan"]); @@ -154,24 +154,24 @@ case 'zoom': FROM (data_template_data,data_template_rrd,graph_templates_item) WHERE graph_templates_item.task_item_id=data_template_rrd.id AND data_template_rrd.local_data_id=data_template_data.local_data_id - AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] . + AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] . " LIMIT 0,1"); $ds_step = empty($ds_step) ? 300 : $ds_step; $seconds_between_graph_updates = ($ds_step * $rra["steps"]); $now = time(); - if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) { - $graph_end = $_GET["graph_end"]; + if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) { + $graph_end = $_REQUEST["graph_end"]; }else{ $graph_end = $now - $seconds_between_graph_updates; } - if (isset($_GET["graph_start"])) { - if (($graph_end - $_GET["graph_start"])>$max_timespan) { + if (isset($_REQUEST["graph_start"])) { + if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) { $graph_start = $now - $max_timespan; }else { - $graph_start = $_GET["graph_start"]; + $graph_start = $_REQUEST["graph_start"]; } }else{ $graph_start = $now + $timespan; @@ -186,7 +186,7 @@ case 'zoom': graph_templates_graph.height, graph_templates_graph.width from graph_templates_graph - where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]); + where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]); $graph_height = $graph["height"]; $graph_width = $graph["width"]; @@ -214,12 +214,12 @@ case 'zoom': <table width='1' cellpadding='0'> <tr> <td> - <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> + <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'> </td> <td valign='top' style='padding: 3px;' class='noprint'> - <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> </td> </tr> <tr> @@ -249,17 +249,17 @@ case 'properties': <table width='1' cellpadding='0'> <tr> <td> - <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> + <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'> </td> <td valign='top' style='padding: 3px;'> - <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> - <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> - <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> + <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br> + <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br> + <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?> </td> </tr> <tr> <td colspan='2' align='center'> - <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong> + <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong> </td> </tr> </table> Index: cacti-0.8.8f/include/top_graph_header.php =================================================================== --- cacti-0.8.8f.orig/include/top_graph_header.php +++ cacti-0.8.8f/include/top_graph_header.php @@ -146,12 +146,12 @@ $page_title = api_plugin_hook_function(' $graph_data_array["print_source"] = true; /* override: graph start time (unix time) */ - if (!empty($_GET["graph_start"])) { + if (!empty($_REQUEST["graph_start"])) { $graph_data_array["graph_start"] = get_request_var_request("graph_start"); } /* override: graph end time (unix time) */ - if (!empty($_GET["graph_end"])) { + if (!empty($_REQUEST["graph_end"])) { $graph_data_array["graph_end"] = get_request_var_request("graph_end"); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor