Skip to content

Security issue allows to view all graphs #2964

Closed
@george-kar

Description

@george-kar

I have created a user with no group membership. Graph permission default is DENY and I have selected all graphs Restricted instead of 1. I have device params default DENY and only set to specific one. Template perm is set to DENY. Tree Perms is also default DENY and I set to access only a specific one. When I login with that user I see only one option in tree and when I click on the device I see the graph. Everything is fine. But if I take the url

domain.com/graph_json.php?rra_id=0&local_graph_id=3205&graph_start=1569069730&graph_end=1569156130&graph_height=120&graph_width=500

and change the local_graph_id with another value ie 5312 I get a response and inside that response I see the image which is base64. If I decode and create png I can see the other graph that I dont have permission to see.

I tried to update to latest cacti 1.2.6 and it still get that security issue. I also checked the source code carefully and I don't see any permission check regarding graphs. For example I see permission check for tree node creation but not for graphs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    SECURITYA security issue reported through CVEbugUndesired behaviourresolvedA fixed issue

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions