Description: Several names/titles were not sanities which allowes a privileged user to inject XSS code. Bugs: http://bugs.cacti.net/view.php?id=2456 Author: Paul Gevers --- a/data_sources.php +++ b/data_sources.php @@ -427,7 +427,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $ds_list .= "
  • " . get_data_source_title($matches[1]) . "
    "; + $ds_list .= "
  • " . htmlspecialchars(get_data_source_title($matches[1])) . "
    "; $ds_array[$i] = $matches[1]; $i++; @@ -1359,7 +1359,7 @@ $poller_interval = ((isset($poller_intervals[$data_source["local_data_id"]])) ? $poller_intervals[$data_source["local_data_id"]] : 0); form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $data_source["local_data_id"]); $i++; - form_selectable_cell("" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "\\1", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "", $data_source["local_data_id"]); + form_selectable_cell("" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "\\1", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "", $data_source["local_data_id"]); form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id']); form_selectable_cell($data_input_name, $data_source["local_data_id"]); form_selectable_cell(get_poller_interval($poller_interval), $data_source["local_data_id"]); --- a/cdef.php +++ b/cdef.php @@ -194,7 +194,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $cdef_list .= "
  • " . db_fetch_cell("select name from cdef where id=" . $matches[1]) . "
    "; + $cdef_list .= "
  • " . htmlspecialchars(db_fetch_cell("select name from cdef where id=" . $matches[1])) . "
    "; $cdef_array[$i] = $matches[1]; $i++; --- a/tree.php +++ b/tree.php @@ -354,7 +354,7 @@ } include("./include/top_header.php"); - form_confirm("Are You Sure?", $text, htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"])); + form_confirm("Are You Sure?", htmlspecialchars($text, ENT_QUOTES), htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"])); include("./include/bottom_footer.php"); exit; } @@ -383,7 +383,7 @@ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) { include("./include/top_header.php"); - form_confirm("Are You Sure?", "Are you sure you want to delete the tree '" . db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]) . "'?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"])); + form_confirm("Are You Sure?", "Are you sure you want to delete the tree '" . htmlspecialchars(db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]), ENT_QUOTES) . "'?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"])); include("./include/bottom_footer.php"); exit; } --- a/data_input.php +++ b/data_input.php @@ -185,7 +185,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $di_list .= "
  • " . db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'") . "
    • "; + $di_list .= "
  • " . htmlspecialchars(db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'")) . "
    • "; $di_array[$i] = $matches[1]; $i++; @@ -246,7 +246,7 @@ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) { include("./include/top_header.php"); - form_confirm("Are You Sure?", "Are you sure you want to delete the field '" . db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]) . "'?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"])); + form_confirm("Are You Sure?", "Are you sure you want to delete the field '" . htmlspecialchars(db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]), ENT_QUOTES) . "'?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"])); include("./include/bottom_footer.php"); exit; } --- a/graphs.php +++ b/graphs.php @@ -387,7 +387,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $graph_list .= "
  • " . get_graph_title($matches[1]) . "
    • "; + $graph_list .= "
  • " . htmlspecialchars(get_graph_title($matches[1])) . "
    • "; $graph_array[$i] = $matches[1]; $i++; --- a/host_templates.php +++ b/host_templates.php @@ -156,7 +156,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $host_list .= "
  • " . db_fetch_cell("select name from host_template where id=" . $matches[1]) . "
    "; + $host_list .= "
  • " . htmlspecialchars(db_fetch_cell("select name from host_template where id=" . $matches[1])) . "
    "; $host_array[$i] = $matches[1]; $i++; --- a/data_templates.php +++ b/data_templates.php @@ -305,7 +305,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $ds_list .= "
  • " . db_fetch_cell("select name from data_template where id=" . $matches[1]) . "
    "; + $ds_list .= "
  • " . htmlspecialchars(db_fetch_cell("select name from data_template where id=" . $matches[1])) . "
    "; $ds_array[$i] = $matches[1]; $i++; --- a/graph_templates.php +++ b/graph_templates.php @@ -216,7 +216,7 @@ input_validate_input_number($matches[1]); /* ==================================================== */ - $graph_list .= "
  • " . db_fetch_cell("select name from graph_templates where id=" . $matches[1]) . "
    "; + $graph_list .= "
  • " . htmlspecialchars(db_fetch_cell("select name from graph_templates where id=" . $matches[1])) . "
    "; $graph_array[$i] = $matches[1]; $i++; --- a/user_admin.php +++ b/user_admin.php @@ -175,7 +175,7 @@ /* ==================================================== */ if (get_request_var_post("drp_action") != "2") { - $user_list .= "
  • " . db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1]) . "
    "; + $user_list .= "
  • " . htmlspecialchars(db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1])) . "
    "; } $user_array[$i] = $matches[1]; --- a/graph_templates_inputs.php +++ b/graph_templates_inputs.php @@ -134,7 +134,7 @@ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) { include("./include/top_header.php"); - form_confirm("Are You Sure?", "Are you sure you want to delete the input item '" . db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]) . "'? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"])); + form_confirm("Are You Sure?", "Are you sure you want to delete the input item '" . htmlspecialchars(db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]), ENT_QUOTES) . "'? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"])); include("./include/bottom_footer.php"); exit; } --- a/data_queries.php +++ b/data_queries.php @@ -340,7 +340,7 @@ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) { include("./include/top_header.php"); - form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph '" . db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]) . "'?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"])); + form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph '" . htmlspecialchars(db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]), ENT_QUOTES) . "'?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"])); include("./include/bottom_footer.php"); exit; }