1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
Description: Several names/titles were not sanities which allowes a
privileged user to inject XSS code.
Bugs: http://bugs.cacti.net/view.php?id=2456
Author: Paul Gevers <elbrus@debian.org>
--- a/data_sources.php
+++ b/data_sources.php
@@ -427,7 +427,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $ds_list .= "<li>" . get_data_source_title($matches[1]) . "<br>";
+ $ds_list .= "<li>" . htmlspecialchars(get_data_source_title($matches[1])) . "<br>";
$ds_array[$i] = $matches[1];
$i++;
@@ -1359,7 +1359,7 @@
$poller_interval = ((isset($poller_intervals[$data_source["local_data_id"]])) ? $poller_intervals[$data_source["local_data_id"]] : 0);
form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $data_source["local_data_id"]); $i++;
- form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("data_sources.php?action=ds_edit&id=" . $data_source["local_data_id"]) . "' title='" . $data_source["name_cache"] . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "</a>", $data_source["local_data_id"]);
+ form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("data_sources.php?action=ds_edit&id=" . $data_source["local_data_id"]) . "' title='" . htmlspecialchars($data_source["name_cache"], ENT_QUOTES) . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "</a>", $data_source["local_data_id"]);
form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id']);
form_selectable_cell($data_input_name, $data_source["local_data_id"]);
form_selectable_cell(get_poller_interval($poller_interval), $data_source["local_data_id"]);
--- a/cdef.php
+++ b/cdef.php
@@ -194,7 +194,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $cdef_list .= "<li>" . db_fetch_cell("select name from cdef where id=" . $matches[1]) . "<br>";
+ $cdef_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from cdef where id=" . $matches[1])) . "<br>";
$cdef_array[$i] = $matches[1];
$i++;
--- a/tree.php
+++ b/tree.php
@@ -354,7 +354,7 @@
}
include("./include/top_header.php");
- form_confirm("Are You Sure?", $text, htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"]));
+ form_confirm("Are You Sure?", htmlspecialchars($text, ENT_QUOTES), htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"]));
include("./include/bottom_footer.php");
exit;
}
@@ -383,7 +383,7 @@
if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
include("./include/top_header.php");
- form_confirm("Are You Sure?", "Are you sure you want to delete the tree <strong>'" . db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"]));
+ form_confirm("Are You Sure?", "Are you sure you want to delete the tree <strong>'" . htmlspecialchars(db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"]));
include("./include/bottom_footer.php");
exit;
}
--- a/data_input.php
+++ b/data_input.php
@@ -185,7 +185,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $di_list .= "<li>" . db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'") . "</li>";
+ $di_list .= "<li>" . htmlspecialchars(db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'")) . "</li>";
$di_array[$i] = $matches[1];
$i++;
@@ -246,7 +246,7 @@
if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
include("./include/top_header.php");
- form_confirm("Are You Sure?", "Are you sure you want to delete the field <strong>'" . db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"]));
+ form_confirm("Are You Sure?", "Are you sure you want to delete the field <strong>'" . htmlspecialchars(db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"]));
include("./include/bottom_footer.php");
exit;
}
--- a/graphs.php
+++ b/graphs.php
@@ -387,7 +387,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $graph_list .= "<li>" . get_graph_title($matches[1]) . "</li>";
+ $graph_list .= "<li>" . htmlspecialchars(get_graph_title($matches[1])) . "</li>";
$graph_array[$i] = $matches[1];
$i++;
--- a/host_templates.php
+++ b/host_templates.php
@@ -156,7 +156,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $host_list .= "<li>" . db_fetch_cell("select name from host_template where id=" . $matches[1]) . "<br>";
+ $host_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from host_template where id=" . $matches[1])) . "<br>";
$host_array[$i] = $matches[1];
$i++;
--- a/data_templates.php
+++ b/data_templates.php
@@ -305,7 +305,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $ds_list .= "<li>" . db_fetch_cell("select name from data_template where id=" . $matches[1]) . "<br>";
+ $ds_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from data_template where id=" . $matches[1])) . "<br>";
$ds_array[$i] = $matches[1];
$i++;
--- a/graph_templates.php
+++ b/graph_templates.php
@@ -216,7 +216,7 @@
input_validate_input_number($matches[1]);
/* ==================================================== */
- $graph_list .= "<li>" . db_fetch_cell("select name from graph_templates where id=" . $matches[1]) . "<br>";
+ $graph_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from graph_templates where id=" . $matches[1])) . "<br>";
$graph_array[$i] = $matches[1];
$i++;
--- a/user_admin.php
+++ b/user_admin.php
@@ -175,7 +175,7 @@
/* ==================================================== */
if (get_request_var_post("drp_action") != "2") {
- $user_list .= "<li>" . db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1]) . "<br>";
+ $user_list .= "<li>" . htmlspecialchars(db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1])) . "<br>";
}
$user_array[$i] = $matches[1];
--- a/graph_templates_inputs.php
+++ b/graph_templates_inputs.php
@@ -134,7 +134,7 @@
if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
include("./include/top_header.php");
- form_confirm("Are You Sure?", "Are you sure you want to delete the input item <strong>'" . db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]) . "'</strong>? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"]));
+ form_confirm("Are You Sure?", "Are you sure you want to delete the input item <strong>'" . htmlspecialchars(db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"]));
include("./include/bottom_footer.php");
exit;
}
--- a/data_queries.php
+++ b/data_queries.php
@@ -340,7 +340,7 @@
if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
include("./include/top_header.php");
- form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph <strong>'" . db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"]));
+ form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph <strong>'" . htmlspecialchars(db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"]));
include("./include/bottom_footer.php");
exit;
}
|