Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When deserializating data, ensure basic sanitization has been performed #3026

Closed
cigamit opened this issue Oct 12, 2019 · 2 comments
Closed

When deserializating data, ensure basic sanitization has been performed #3026

cigamit opened this issue Oct 12, 2019 · 2 comments
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE

Comments

@cigamit
Copy link
Member

cigamit commented Oct 12, 2019

Describe the bug
As reported by Eldar Marcussen of xen1thLabs, Cacti's unserialization of form data does not properly validate the form input which can result in unsafe unserialization operations.

Expected behavior
Cacti should always check serialized data for expected formatting, or utilize JSON data within the form post to avoid the use of the unserialize() function when dealing with untrusted data.
@cigamit cigamit added bug Undesired behaviour SECURITY A security issue reported through CVE labels Oct 12, 2019
@cigamit cigamit changed the title Unsafe deserialization in Cacti Unsafe deserialization in of selected objects in Cacti Oct 12, 2019
@cigamit
Copy link
Member Author

cigamit commented Oct 12, 2019

Near term, Cacti will implement the workaround documented in StackOverflow in the following article:

https://stackoverflow.com/questions/3874744/limiting-unserialize-to-return-arrays

cigamit added a commit that referenced this issue Oct 12, 2019
@cigamit
Resolving Issue #3026
82b665b 
Unsafe deserialization in of selected objects in Cacti
cigamit added a commit that referenced this issue Oct 12, 2019
@cigamit
Resoving Issue #3026
adf2213 
Unsafe deserialization in of selected objects in Cacti
@cigamit cigamit added the resolved A fixed issue label Oct 12, 2019
@cigamit cigamit closed this as completed Oct 12, 2019
@netniV netniV changed the title Unsafe deserialization in of selected objects in Cacti When deserializating data, ensure basic sanitization has been performed Dec 7, 2019
@carnil
Copy link

carnil commented Dec 10, 2019
edited
Loading

This was assigned CVE-2019-17358.

@carnil carnil mentioned this issue Dec 10, 2019
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carnil @cigamit