Re: Cacti XSS fixes in 0.8.7g

[Josh Bressers <bressers () redhat com>]

Sorry for the delay. IDs inline.


----- "Tomas Hoger" <thoger () redhat com> wrote:

> Hi!
>
> Cacti 0.8.7g was released some days ago:
>   http://cacti.net/release_notes_0_8_7g.php
>
> Release notes mention couple of security issue previously fixed in
> (withdrawn) 0.8.7f, but adds new protections against couple of XSS
> issues.
>
>
> "XSS 4" from CVE-2009-4032 was not fixed previously:
>   https://bugzilla.redhat.com/show_bug.cgi?id=541279#c17
>
> Fixed in include/top_graph_header.php change in:
>   http://svn.cacti.net/viewvc?view=rev&revision=6025

Use CVE-2010-2543

> Search pattern in log file viewer was not filtered for bad
> characters,
> or escaped before echoing pattern back to page:
>   https://bugzilla.redhat.com/show_bug.cgi?id=459105
>
> Possible victims are administrative users with access to log viewer
> page.  Fixed in r6025, which adds escaping to other search patterns
> too, but others were filtered previously.

Use CVE-2010-2544

> Multiple persistent XSS via various item names or descriptions.
> Attacker needs to have certain administrative privileges, so this is
> fairly lame issue.
>   https://bugzilla.redhat.com/show_bug.cgi?id=459229
>
> Originally discovered for template names, where template XML import
> provides additional vector (trusted admin tricked to import untrusted
> template vs. untrusted admin).  HTML escaping added on various places
> in r6037, r6038, r6041 and r6042.

Use CVE-2010-2545

Thanks.

-- 
    JB