Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lack of escaping of color items can lead to XSS exposure (CVE-2020-7106) #3467

Closed
ddb4github opened this issue Apr 16, 2020 · 7 comments
Closed
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue SECURITY A security issue reported through CVE
Milestone

Comments

@ddb4github
Copy link
Contributor

Describe the bug

Ref #3191, try <svg/onload=alert(1)> in pollers.php.
See attached screen shot

Screenshots

image

Additional context

Issue code lines:

pollers.php:297:         raise_message('dupe_hostname', __('You have already used this hostname \'%s\'.  Please enter a non-duplicate hostname.', $save['hostname']), MESSAGE_LEVEL_ERROR);
pollers.php:303:         raise_message('dupe_dbhost', __('You have already used this database hostname \'%s\'.  Please enter a non-duplicate database hostname.', $save['hostname']), MESSAGE_LEVEL_ERROR);
@ddb4github ddb4github added bug Undesired behaviour unverified Some days we don't have a clue labels Apr 16, 2020
@TheWitness TheWitness added resolved A fixed issue and removed unverified Some days we don't have a clue labels Apr 16, 2020
TheWitness added a commit that referenced this issue Apr 16, 2020
Security: required more fixing like #3191((CVE-2020-7106))
@TheWitness
Copy link
Member

Nice bug hunting @ddb4github (aka Jing Chen).

@TheWitness TheWitness added this to the 1.2.12 milestone Apr 16, 2020
@ddb4github
Copy link
Contributor Author

Actually, this issue is found by 'grep/review code/create testcase to verify' when I check #3191 solution for all PHP files.
I'll create another PR for thold/syslog today. Just because thold+syslog only dozen of lines to be reivewd. Cacti core have hundred lines now.

@ddb4github ddb4github changed the title Security: required more fixing like #3191((CVE-2020-7106)) Security: required more fixing like #3191(CVE-2020-7106) Apr 17, 2020
@netniV
Copy link
Member

netniV commented Apr 17, 2020

Since this additional, should this have a new CVE?

@TheWitness
Copy link
Member

I think so, and update the CHANGELOG appropriately.

@ddb4github
Copy link
Contributor Author

Conform issue page:

  • color_templates.php: Sync Aggregates Action

TheWitness added a commit that referenced this issue Apr 20, 2020
* Cannot Create New Automation Graph Rules in 1.2.11
* Additional Security issue within Color Templates
@netniV netniV added the confirmed Bug is confirm by dev team label Apr 26, 2020
@netniV netniV added the SECURITY A security issue reported through CVE label May 3, 2020
@netniV netniV changed the title Security: required more fixing like #3191(CVE-2020-7106) Lack of escaping of color items can lead to XSS exposure (CVE-2020-7106) May 3, 2020
@z00z004242
Copy link

z00z004242 commented May 12, 2020

Hi everyone.
As netniV said, CVE-2020-7106 is already related to issue #3191 . This issue should have the same CVE has the another one. Could you please assign another one ?
Regards,
W

@netniV
Copy link
Member

netniV commented May 12, 2020

Whilst the vulnerability appears to be the same as the original, I would agree with @z00z004242 that a new one should be requested refering to the original (probably by @ddb4github as the researcher who found it) because of:

Establishing whether the vulnerabilities differ

In cases of multiple findings reported at the same time for a single product, separate CVE IDs are sometimes needed when there is a difference in the primary vulnerability types or affected versions.

Since this now affects 1.2.12 it is technically a later version than the original CVE reported. Also, by mentioning the earlier CVE, the CVE team can themselves determine if this should be assigned a new number or appended to the old one.

@github-actions github-actions bot locked and limited conversation to collaborators Aug 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Development

No branches or pull requests

4 participants