Martin Schulze wrote: > However, as I don't like the "next week" part too much, I'll try to > work on the update on my own and send you the diff for comments. > Should reduce the time you need to spend on the issue as well.
Ok, here is an update. Regards, Joey -- Computers are not intelligent. They only think they are. Please always Cc to me when replying to me on the lists.
diff -u cacti-0.6.7/include/config.php cacti-0.6.7/include/config.php --- cacti-0.6.7/include/config.php +++ cacti-0.6.7/include/config.php @@ -23,6 +23,21 @@ */?> <? +/* whether or not we pull from a db, we need re-initilize */ +global $config; + +/* test for suspicious user-supplied variables that would otherwise + affect program execution, and if so zero out config for safety */ +if(isset($_GET["do_not_read_config"]) || isset($_POST["do_not_read_config"]) + || isset($_GET["config"]) || isset($_POST["config"])){ + $config = array(); +} +$colors = array(); + +## debian security backport ## +require_once("sanitize.php"); +## debian security backport ## + ## Debian packaging ## include("/etc/cacti/config.php"); ## Debian packaging ## @@ -30,9 +45,6 @@ /* make sure this variable reflects your operating system type: 'unix' or 'win32' */ $cacti_server_os = "unix"; -/* whether or not we pull from a db, we need re-initilize */ -global $config; - if ($do_not_read_config != true) { if (isset($config) == false) { /* make a connection to the database */ diff -u cacti-0.6.7/debian/changelog cacti-0.6.7/debian/changelog --- cacti-0.6.7/debian/changelog +++ cacti-0.6.7/debian/changelog @@ -1,3 +1,25 @@ +cacti (0.6.7-2.4) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Switched to using $_REQUEST instead of $_GET and $_POST since this + version only uses $foo which is similar to $_REQUEST[foo] + * Reduced the number of tested variables to those actually used. + + -- Martin Schulze <[EMAIL PROTECTED]> Fri, 15 Jul 2005 16:06:58 +0200 + +cacti (0.6.7-2.3) stable-security; urgency=high + + * update prepared for the security team by new maintainer. + * include backported updates against the two latest cacti security + releases. this includes the following CAN id's: + - CAN-2005-1524 (idefense remote file inclusion) + - CAN-2005-1525 (idefense SQL injection) + - CAN-2005-1526 (idefense remote code execution) + - CAN-2005-2148 (hardened-php advisories 032005 and 042005) + - CAN-2005-2149 (hardened-php advisory 052005) + + -- sean finney <[EMAIL PROTECTED]> Mon, 11 Jul 2005 20:35:12 -0400 + cacti (0.6.7-2.2) stable-security; urgency=medium * Non-maintainer upload by Stable Release Manager only in patch2: unchanged: --- cacti-0.6.7.orig/include/sanitize.php +++ cacti-0.6.7/include/sanitize.php @@ -0,0 +1,123 @@ +<?php + +/* + * backported security-related changes from cacti + * by sean finney <[EMAIL PROTECTED]> + * + * to preserve my own sanity, all sanity checks are done in here, which + * is included by the main configuration, which is included by everything. + * variables that don't exist will not raise failures, so only in the case + * that the input exists and is not what it is supposed to be will there + * be an error. + */ + +/* + +-------------------------------------------------------------------------+ + | Copyright (C) 2004 Ian Berry | + | | + | This program is free software; you can redistribute it and/or | + | modify it under the terms of the GNU General Public License | + | as published by the Free Software Foundation; either version 2 | + | of the License, or (at your option) any later version. | + | | + | This program is distributed in the hope that it will be useful, | + | but WITHOUT ANY WARRANTY; without even the implied warranty of | + | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | + | GNU General Public License for more details. | + +-------------------------------------------------------------------------+ + | cacti: a php-based graphing solution | + +-------------------------------------------------------------------------+ + | Most of this code has been designed, written and is maintained by | + | Ian Berry. See about.php for specific developer credit. Any questions | + | or comments regarding this code should be directed to: | + | - [EMAIL PROTECTED] | + +-------------------------------------------------------------------------+ + | - raXnet - http://www.raxnet.net/ | + +-------------------------------------------------------------------------+ +*/ + +/* get_request_var_request - returns the current value of a PHP $_POST variable, optionally + returning a default value if the request variable does not exist + @arg $name - the name of the request variable. this should be a valid key in the + $_REQUEST array + @arg $default - the value to return if the specified name does not exist in the + $_REQUEST array + @returns - the value of the request variable */ +function get_request_var_request($name, $default = "") +{ + if (isset($_REQUEST[$name])) + { + return $_REQUEST[$name]; + } else + { + return $default; + } +} + +function input_validate_input_equals($value, $c_value) { + if ($value != $c_value) { + die_html_input_error(); + } +} + +function input_validate_input_number($value) { + if ((!is_numeric($value)) && ($value != "")) { + die_html_input_error(); + } +} + +function input_validate_input_regex($value, $regex) { + if ((!ereg($regex, $value)) && ($value != "")) { + die_html_input_error(); + } +} + +function die_html_input_error() { + global $config; + + ?> + <table width="98%" align="center"> + <tr> + <td> + Validation error. + </td> + </tr> + </table> + <?php + + include_once("./include/bottom_footer.php"); + exit; +} + +input_validate_input_number(get_request_var_request("branch_id")); +input_validate_input_number(get_request_var_request("graph_height")); +input_validate_input_number(get_request_var_request("graph_start")); +input_validate_input_number(get_request_var_request("graph_template_id")); +input_validate_input_number(get_request_var_request("graph_width")); +input_validate_input_number(get_request_var_request("graphid")); +input_validate_input_number(get_request_var_request("hide")); +input_validate_input_number(get_request_var_request("id")); +input_validate_input_number(get_request_var_request("rra_id")); +input_validate_input_number(get_request_var_request("tree_id")); +input_validate_input_number(get_request_var_request("user_id")); + +if(isset($graph_template_id)){ + input_validate_input_number($graph_template_id); +} +if(isset($matches[1])){ + input_validate_input_number($matches[1]); +} +if(isset($matches[3])){ + input_validate_input_number($matches[3]); +} +if(@is_array($_REQUEST["rra_id"])){ + foreach($_REQUEST["rra_id"] as $debsec_key => $debsec_val){ + input_validate_input_number($_REQUEST["rra_id"][$debsec_key]); + } +} + +// The following alows more than the above test +// input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); +input_validate_input_regex(get_request_var_request("type"), "^(in|out)$"); + +?>
cacti_0.6.7-2.4.diff.gz
Description: Binary data
signature.asc
Description: Digital signature