Skip to content

Commit

Permalink
Resolving Issues #2213, #2214, #2215 and Additional
Browse files Browse the repository at this point in the history
Multiple XSS vectors associated with un-escaped strings.  Introduce new
function, audit all calls, remove inline styles for classes, some i18n
missed.
  • Loading branch information
cigamit committed Dec 16, 2018
1 parent f7cb839 commit 80c2a88
Show file tree
Hide file tree
Showing 29 changed files with 127 additions and 123 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ Cacti CHANGELOG
-issue#2202: Can't create more than one graph with add_graphs.php from one template
-issue#2207: Removing Graph Template does not Remove Data Query Associations
-issue#2212: Stored XSS in "Website Hostname" field
-issue#2213: Stored XSS in "Website Hostname" field - Devices
-issue#2214: Stored XSS in "Vertical Label" field - Graph
-issue#2215: Stored XSS in "Name" field - Color
-feature: Update phpseclib to version 2.0.12

1.2.0 Beta 4
Expand Down
6 changes: 3 additions & 3 deletions aggregate_graphs.php
Original file line number Diff line number Diff line change
Expand Up @@ -1199,12 +1199,12 @@ function clearFilter() {
if (validate_is_regex(get_request_var('rfilter'))) {
form_selectable_cell(filter_value($graph['title_cache'], get_request_var('rfilter')), $graph['local_graph_id']);
} else {
form_selectable_cell(get_request_var('rfilter') != '' ? aggregate_format_text(html_escape($graph['title_cache']), get_request_var('rfilter')) : html_escape($graph['title_cache']), $graph['local_graph_id']);
form_selectable_ecell(get_request_var('rfilter') != '' ? aggregate_format_text($graph['title_cache'], get_request_var('rfilter')) : $graph['title_cache'], $graph['local_graph_id']);
}

form_selectable_cell($graph['local_graph_id'], $graph['local_graph_id'], '', 'right');
form_selectable_cell(($graph['agg_graph_id'] != '' ? "<span class='associated'>" . __('Yes') . '</span>':"<span class='notAssociated'>" . __('No') . "</span>"), $graph['local_graph_id']);
form_selectable_cell($graph['height'] . 'x' . $graph['width'], $graph['local_graph_id'], '', 'right');
form_selectable_ecell($graph['height'] . 'x' . $graph['width'], $graph['local_graph_id'], '', 'right');
form_checkbox_cell($graph['title_cache'], $graph['local_graph_id']);
form_end_row();
}
Expand Down Expand Up @@ -1528,7 +1528,7 @@ function clearFilter() {
form_selectable_cell(filter_value(title_trim($graph['title_cache'], read_config_option('max_title_length')), get_request_var('filter'), 'aggregate_graphs.php?action=edit&id=' . $graph['local_graph_id']), $graph['local_graph_id']);
form_selectable_cell($graph['local_graph_id'], $graph['local_graph_id'], '', 'right');
form_selectable_cell((empty($graph['name']) ? '<em>' . __('None') . '</em>' : filter_value($template_name, get_request_var('filter'))), $graph['local_graph_id']);
form_selectable_cell($graph['height'] . 'x' . $graph['width'], $graph['local_graph_id'], '', 'right');
form_selectable_ecell($graph['height'] . 'x' . $graph['width'], $graph['local_graph_id'], '', 'right');
form_checkbox_cell($graph['title_cache'], $graph['local_graph_id']);
form_end_row();
}
Expand Down
4 changes: 2 additions & 2 deletions aggregate_templates.php
Original file line number Diff line number Diff line change
Expand Up @@ -658,8 +658,8 @@ function aggregate_template() {

form_alternate_row('line' . $template['id'], true, $disabled);
form_selectable_cell(filter_value($template['name'], get_request_var('filter'), 'aggregate_templates.php?action=edit&id=' . $template['id'] . '&page=1'), $template['id']);
form_selectable_cell($disabled ? 'No':'Yes', $template['id'], '', 'text-align:right');
form_selectable_cell('<a class="linkEditMain" href="' . html_escape('aggregate_graphs.php?reset=true&template_id=' . $template['id']) . '">' . number_format_i18n($template['graphs'], '-1') . '</a>', $template['id'], '', 'text-align:right;');
form_selectable_cell($disabled ? __('No'):__('Yes'), $template['id'], '', 'right');
form_selectable_cell('<a class="linkEditMain" href="' . html_escape('aggregate_graphs.php?reset=true&template_id=' . $template['id']) . '">' . number_format_i18n($template['graphs'], '-1') . '</a>', $template['id'], '', 'right');
form_selectable_cell(filter_value($template['graph_template_name'], get_request_var('filter')), $template['id']);
form_checkbox_cell($template['graph_template_name'], $template['id'], $disabled);
form_end_row();
Expand Down
20 changes: 10 additions & 10 deletions automation_networks.php
Original file line number Diff line number Diff line change
Expand Up @@ -1133,17 +1133,17 @@ function networks() {
}

form_alternate_row('line' . $network['id'], true);
form_selectable_cell('<a class="linkEditMain" href="' . html_escape('automation_networks.php?action=edit&id=' . $network['id']) . '">' . $network['name'] . '</a>', $network['id']);
form_selectable_cell($network['data_collector'], $network['id']);
form_selectable_cell('<a class="linkEditMain" href="' . html_escape('automation_networks.php?action=edit&id=' . $network['id']) . '">' . html_escape($network['name']) . '</a>', $network['id']);
form_selectable_ecell($network['data_collector'], $network['id']);
form_selectable_cell($sched_types[$network['sched_type']], $network['id']);
form_selectable_cell(number_format_i18n($network['total_ips']), $network['id'], '', 'text-align:right;');
form_selectable_cell($mystat, $network['id'], '', 'text-align:right;');
form_selectable_cell($progress, $network['id'], '', 'text-align:right;');
form_selectable_cell(number_format_i18n($updown['up']) . '/' . number_format_i18n($updown['snmp']), $network['id'], '', 'text-align:right;');
form_selectable_cell(number_format_i18n($network['threads']), $network['id'], '', 'text-align:right;');
form_selectable_cell(round($network['last_runtime'],2), $network['id'], '', 'text-align:right;');
form_selectable_cell($network['enabled'] == '' || $network['sched_type'] == '1' ? __('N/A'):($network['next_start'] == '0000-00-00 00:00:00' ? substr($network['start_at'],0,16):substr($network['next_start'],0,16)), $network['id'], '', 'text-align:right;');
form_selectable_cell($network['last_started'] == '0000-00-00 00:00:00' ? 'Never':substr($network['last_started'],0,16), $network['id'], '', 'text-align:right;');
form_selectable_cell(number_format_i18n($network['total_ips']), $network['id'], '', 'right');
form_selectable_cell($mystat, $network['id'], '', 'right');
form_selectable_cell($progress, $network['id'], '', 'right');
form_selectable_cell(number_format_i18n($updown['up']) . '/' . number_format_i18n($updown['snmp']), $network['id'], '', 'right');
form_selectable_cell(number_format_i18n($network['threads']), $network['id'], '', 'right');
form_selectable_cell(round($network['last_runtime'],2), $network['id'], '', 'right');
form_selectable_cell($network['enabled'] == '' || $network['sched_type'] == '1' ? __('N/A'):($network['next_start'] == '0000-00-00 00:00:00' ? substr($network['start_at'],0,16):substr($network['next_start'],0,16)), $network['id'], '', 'right');
form_selectable_cell($network['last_started'] == '0000-00-00 00:00:00' ? __('Never'):substr($network['last_started'],0,16), $network['id'], '', 'right');
form_checkbox_cell($network['name'], $network['id']);
form_end_row();
}
Expand Down
4 changes: 2 additions & 2 deletions automation_tree_rules.php
Original file line number Diff line number Diff line change
Expand Up @@ -947,13 +947,13 @@ function clearFilter() {
if (cacti_sizeof($automation_tree_rules)) {
foreach ($automation_tree_rules as $automation_tree_rule) {
$tree_item_type_name = ((empty($automation_tree_rule['leaf_type'])) ? '<em>' . __('None') . '</em>' : $automation_tree_item_types[$automation_tree_rule['leaf_type']]);
$subtree_name = ((empty($automation_tree_rule['subtree_name'])) ? '<em>' . __('ROOT') . '</em>' : $automation_tree_rule['subtree_name']);
$subtree_name = ((empty($automation_tree_rule['subtree_name'])) ? '<em>' . __('ROOT') . '</em>' : html_escape($automation_tree_rule['subtree_name']));
$tree_host_grouping_type = ((empty($host_group_types[$automation_tree_rule['host_grouping_type']])) ? '' : $host_group_types[$automation_tree_rule['host_grouping_type']]);
form_alternate_row('line' . $automation_tree_rule['id'], true);

form_selectable_cell(filter_value($automation_tree_rule['name'], get_request_var('filter'), 'automation_tree_rules.php?action=edit&id=' . $automation_tree_rule['id'] . '&page=1'), $automation_tree_rule['id']);
form_selectable_cell($automation_tree_rule['id'], $automation_tree_rule['id'], '', 'text-align:right');
form_selectable_cell($automation_tree_rule['tree_name'], $automation_tree_rule['id']);
form_selectable_ecell($automation_tree_rule['tree_name'], $automation_tree_rule['id']);
form_selectable_cell($subtree_name, $automation_tree_rule['id']);
form_selectable_cell($tree_item_type_name, $automation_tree_rule['id']);
form_selectable_cell($tree_host_grouping_type, $automation_tree_rule['id']);
Expand Down
10 changes: 5 additions & 5 deletions cdef.php
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ function draw_cdef_preview($cdef_id) {
?>
<tr class='even'>
<td style='padding:4px'>
<pre>cdef=<?php print get_cdef($cdef_id, true);?></pre>
<pre>cdef=<?php print html_escape(get_cdef($cdef_id, true));?></pre>
</td>
</tr>
<?php
Expand Down Expand Up @@ -433,7 +433,7 @@ function item_edit() {
draw_cdef_preview(get_request_var('cdef_id'));
html_end_box();

form_start('cdef.php', 'form_cdef');
form_start('cdef.php', 'chk');

$cdef_name = db_fetch_cell_prepared('SELECT name
FROM cdef
Expand Down Expand Up @@ -897,9 +897,9 @@ function clearFilter() {

form_alternate_row('line' . $cdef['id'], false, $disabled);
form_selectable_cell(filter_value($cdef['name'], get_request_var('filter'), 'cdef.php?action=edit&id=' . $cdef['id']), $cdef['id']);
form_selectable_cell($disabled ? __('No') : __('Yes'), $cdef['id'], '', 'text-align:right');
form_selectable_cell(number_format_i18n($cdef['graphs'], '-1'), $cdef['id'], '', 'text-align:right');
form_selectable_cell(number_format_i18n($cdef['templates'], '-1'), $cdef['id'], '', 'text-align:right');
form_selectable_cell($disabled ? __('No'):__('Yes'), $cdef['id'], '', 'right');
form_selectable_cell(number_format_i18n($cdef['graphs'], '-1'), $cdef['id'], '', 'right');
form_selectable_cell(number_format_i18n($cdef['templates'], '-1'), $cdef['id'], '', 'right');
form_checkbox_cell($cdef['name'], $cdef['id'], $disabled);
form_end_row();
}
Expand Down
6 changes: 3 additions & 3 deletions color_templates.php
Original file line number Diff line number Diff line change
Expand Up @@ -575,9 +575,9 @@ function aggregate_color_template() {
form_alternate_row('line' . $template['color_template_id'], true);

form_selectable_cell(filter_value($template['name'], get_request_var('filter'), 'color_templates.php?action=template_edit&color_template_id=' . $template['color_template_id'] . '&page=1'), $template['color_template_id']);
form_selectable_cell($disabled ? __('No') : __('Yes'), $template['color_template_id'], '', 'text-align:right');
form_selectable_cell(number_format_i18n($template['graphs']), $template['color_template_id'], '', 'text-align:right;');
form_selectable_cell(number_format_i18n($template['templates']), $template['color_template_id'], '', 'text-align:right;');
form_selectable_cell($disabled ? __('No'):__('Yes'), $template['color_template_id'], '', 'right');
form_selectable_cell(number_format_i18n($template['graphs']), $template['color_template_id'], '', 'right');
form_selectable_cell(number_format_i18n($template['templates']), $template['color_template_id'], '', 'right');
form_checkbox_cell($template['name'], $template['color_template_id'], $disabled);
form_end_row();
}
Expand Down
37 changes: 14 additions & 23 deletions data_debug.php
Original file line number Diff line number Diff line change
Expand Up @@ -259,18 +259,18 @@ function debug_wizard() {
if (strlen($name) > 50) {
$name = substr($name, 0, 50);
}
form_selectable_cell('<a class="linkEditMain" title="' . $title .'" href="' . htmlspecialchars('data_debug.php?action=view&id=' . $check['id']) . '">' . $name . '</a>', $check['id']);
form_selectable_cell($user, $check['id']);
form_selectable_cell('<a class="linkEditMain" title="' . $title .'" href="' . html_escape('data_debug.php?action=view&id=' . $check['id']) . '">' . html_escape($name) . '</a>', $check['id']);
form_selectable_ecell($user, $check['id']);
form_selectable_cell(date('F j, Y, G:i', $check['started']), $check['id']);
form_selectable_cell($check['datasource'], $check['id']);
form_selectable_cell(debug_icon(($check['done'] ? (strlen($issue_line) ? 'off' : 'on' ) : '')), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon($info['rrd_writable']), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon($info['rrd_exists']), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon($info['active']), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon($info['rrd_match']), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon($info['valid_data']), $check['id'], '', 'text-align: center;');
form_selectable_cell(debug_icon(($info['rra_timestamp2'] != '' ? 1 : '')), $check['id'], '', 'text-align: center;');
form_selectable_cell('<a class=\'linkEditMain\' href=\'#\' title="' . html_escape($issue_title) . '">' . html_escape(strlen(trim($issue_line)) ? $issue_line : '<none>') . '</a>', $check['id']);
form_selectable_ecell($check['datasource'], $check['id']);
form_selectable_cell(debug_icon(($check['done'] ? (strlen($issue_line) ? 'off' : 'on' ) : '')), $check['id'], '', 'center');
form_selectable_cell(debug_icon($info['rrd_writable']), $check['id'], '', 'center');
form_selectable_cell(debug_icon($info['rrd_exists']), $check['id'], '', 'center');
form_selectable_cell(debug_icon($info['active']), $check['id'], '', 'center');
form_selectable_cell(debug_icon($info['rrd_match']), $check['id'], '', 'center');
form_selectable_cell(debug_icon($info['valid_data']), $check['id'], '', 'center');
form_selectable_cell(debug_icon(($info['rra_timestamp2'] != '' ? 1 : '')), $check['id'], '', 'center');
form_selectable_cell('<a class=\'linkEditMain\' href=\'#\' title="' . html_escape($issue_title) . '">' . html_escape(strlen(trim($issue_line)) ? $issue_line : __('<none>')) . '</a>', $check['id']);
form_checkbox_cell($check['id'], $check['id']);
form_end_row();
}
Expand Down Expand Up @@ -345,9 +345,9 @@ function debug_view() {
$field_name = $field['name'];

form_alternate_row('line' . $i);
form_selectable_cell($field['title'], $i);
form_selectable_ecell($field['title'], $i);

$value = '<not set>';
$value = __('<not set>');
$icon = '';

if (array_key_exists($field_name, $check['info'])) {
Expand All @@ -368,7 +368,7 @@ function debug_view() {
$value = substr($value, 0, 100);
}

form_selectable_cell($value, $i, '', '', $value_title);
form_selectable_ecell($value, $i, '', '', $value_title);
form_selectable_cell($icon, $i);

form_end_row();
Expand All @@ -377,15 +377,6 @@ function debug_view() {


html_end_box(false);

/*
print "<pre>";
if (isset($check) && is_array($check)) {
print_r($check);
}
print "</pre>";
*/

}

function debug_icon($result) {
Expand Down
6 changes: 3 additions & 3 deletions data_input.php
Original file line number Diff line number Diff line change
Expand Up @@ -922,9 +922,9 @@ function clearFilter() {
}
form_alternate_row('line' . $data_input['id'], true, $disabled);
form_selectable_cell(filter_value($data_input['name'], get_request_var('filter'), 'data_input.php?action=edit&id=' . $data_input['id']), $data_input['id']);
form_selectable_cell($disabled ? __('No'): __('Yes'), $data_input['id'],'', 'text-align:right');
form_selectable_cell(number_format_i18n($data_input['data_sources'], '-1'), $data_input['id'],'', 'text-align:right');
form_selectable_cell(number_format_i18n($data_input['templates'], '-1'), $data_input['id'],'', 'text-align:right');
form_selectable_cell($disabled ? __('No'):__('Yes'), $data_input['id'],'', 'right');
form_selectable_cell(number_format_i18n($data_input['data_sources'], '-1'), $data_input['id'],'', 'right');
form_selectable_cell(number_format_i18n($data_input['templates'], '-1'), $data_input['id'],'', 'right');
form_selectable_cell($input_types[$data_input['type_id']], $data_input['id']);
form_checkbox_cell($data_input['name'], $data_input['id'], $disabled);
form_end_row();
Expand Down
8 changes: 4 additions & 4 deletions data_queries.php
Original file line number Diff line number Diff line change
Expand Up @@ -1379,10 +1379,10 @@ function clearFilter() {

form_alternate_row('line' . $snmp_query['id'], true, $disabled);
form_selectable_cell(filter_value($snmp_query['name'], get_request_var('filter'), 'data_queries.php?action=edit&id=' . $snmp_query['id']), $snmp_query['id']);
form_selectable_cell($snmp_query['id'], $snmp_query['id'], '', 'text-align:right;');
form_selectable_cell($disabled ? __('No') : __('Yes'), $snmp_query['id'], '', 'text-align:right');
form_selectable_cell(number_format_i18n($snmp_query['graphs'], '-1'), $snmp_query['id'], '', 'text-align:right');
form_selectable_cell(number_format_i18n($snmp_query['templates'], '-1'), $snmp_query['id'], '', 'text-align:right');
form_selectable_cell($snmp_query['id'], $snmp_query['id'], '', 'right');
form_selectable_cell($disabled ? __('No'):__('Yes'), $snmp_query['id'], '', 'right');
form_selectable_cell(number_format_i18n($snmp_query['graphs'], '-1'), $snmp_query['id'], '', 'right');
form_selectable_cell(number_format_i18n($snmp_query['templates'], '-1'), $snmp_query['id'], '', 'right');
form_selectable_cell(filter_value($snmp_query['data_input_method'], get_request_var('filter')), $snmp_query['id']);
form_checkbox_cell($snmp_query['name'], $snmp_query['id'], $disabled);
form_end_row();
Expand Down
14 changes: 7 additions & 7 deletions data_source_profiles.php
Original file line number Diff line number Diff line change
Expand Up @@ -1001,13 +1001,13 @@ function clearFilter() {

form_alternate_row('line' . $profile['id'], false, $disabled);
form_selectable_cell(filter_value($profile['name'], get_request_var('filter'), 'data_source_profiles.php?action=edit&id=' . $profile['id']), $profile['id']);
form_selectable_cell($profile['default'] == 'on' ? __('Yes'):'', $profile['id'], '', 'text-align:right');
form_selectable_cell($disabled ? __('No') : __('Yes'), $profile['id'], '', 'text-align:right');
form_selectable_cell($readonly ? __('Yes') : __('No'), $profile['id'], '', 'text-align:right');
form_selectable_cell($sampling_intervals[$profile['step']], $profile['id'], '', 'text-align:right');
form_selectable_cell($heartbeats[$profile['heartbeat']], $profile['id'], '', 'text-align:right');
form_selectable_cell($ds, $profile['id'], '', 'text-align:right');
form_selectable_cell($dt, $profile['id'], '', 'text-align:right');
form_selectable_cell($profile['default'] == 'on' ? __('Yes'):'', $profile['id'], '', 'right');
form_selectable_cell($disabled ? __('No'):__('Yes'), $profile['id'], '', 'right');
form_selectable_cell($readonly ? __('Yes'):__('No'), $profile['id'], '', 'right');
form_selectable_cell($sampling_intervals[$profile['step']], $profile['id'], '', 'right');
form_selectable_cell($heartbeats[$profile['heartbeat']], $profile['id'], '', 'right');
form_selectable_cell($ds, $profile['id'], '', 'right');
form_selectable_cell($dt, $profile['id'], '', 'right');
form_checkbox_cell($profile['name'], $profile['id'], $disabled);
form_end_row();
}
Expand Down
4 changes: 2 additions & 2 deletions data_sources.php
Original file line number Diff line number Diff line change
Expand Up @@ -1560,10 +1560,10 @@ function clearFilter() {

form_alternate_row('line' . $data_source['local_data_id'], true, $disabled);
form_selectable_cell(filter_value(title_trim($data_source['name_cache'], read_config_option('max_title_length')), get_request_var('rfilter'), 'data_sources.php?action=ds_edit&id=' . $data_source['local_data_id']), $data_source['local_data_id']);
form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id'], '', 'text-align:right');
form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id'], '', 'right');
form_selectable_cell(get_poller_interval($data_source['rrd_step'], $data_source['data_source_profile_id']), $data_source['local_data_id']);
form_selectable_cell(api_data_source_deletable($data_source['local_data_id']) ? __('Yes') : __('No'), $data_source['local_data_id']);
form_selectable_cell(($data_source['active'] == 'on' ? __('Yes') : __('No')), $data_source['local_data_id']);
form_selectable_cell(($data_source['active'] == 'on' ? __('Yes'):__('No')), $data_source['local_data_id']);
form_selectable_cell($data_template_name, $data_source['local_data_id']);
form_checkbox_cell($data_source['name_cache'], $data_source['local_data_id'], $disabled);
form_end_row();
Expand Down
Loading

0 comments on commit 80c2a88

Please sign in to comment.