Resolving Issue #3201

Vulnerability Report: Remote Code Execution due to input validation in Performance Boost Debug Log

Author: cigamit

CHANGELOG

@@ -2,6 +2,7 @@ Cacti CHANGELOG
 
 1.2.9
 -security#3191: CVE-2020-7106 Vulnerability report: Lack of escaping on some pages can lead to XSS exposure
+-security#3201: Vulnerability Report: Remote Code Execution due to input validation in Performance Boost Debug Log
 -issue#3038: Minor UI issue for aggregate when 'main' div width is less than 1230px
 -issue#3136: As a extra fixing for #3060, resolve 1.2.1+ upgrade wizard failure.
 -issue#3142: Chrome sets graphs tree navigation view to width 0px

lib/functions.php

@@ -1530,6 +1530,18 @@ function strip_alpha($string) {
 	}
 }
 
+/** is_valid_pathname - takes a pathname are verifies it matches file name rules
+ *  @arg $path - (char) the pathname to be tested
+ *  @returns - either true or false
+*/
+function is_valid_pathname($path) {
+	if (preg_match('/^([a-zA-Z0-9.-\\\:\/]+)$/', trim($path))) {
+		return true;
+	} else {
+		return false;
+	}
+}
+
 /** get_full_script_path - gets the full path to the script to execute to obtain data for a
  *    given data source. this function does not work on SNMP actions, only script-based actions
  *  @arg $local_data_id - (int) the ID of the data source

settings.php

@@ -109,6 +109,10 @@
 						$errors[9] = 9;
 						$continue = false;
 					}
+				} elseif (get_nfilter_request_var($field_name) != '' && !is_valid_pathname(get_nfilter_request_var($field_name))) {
+					$_SESSION['sess_error_fields'][$field_name] = $field_name;
+					$_SESSION['sess_field_values'][$field_name] = get_nfilter_request_var($field_name);
+					$errors[36] = 36;
 				}
 
 				if ($continue) {