CVE-2015-8369: cacti: SQL injection in graph.php

Debian Bug report logs - #807599
CVE-2015-8369: cacti: SQL injection in graph.php

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: bugs@debian.org

Subject: CVE-2015-8369: cacti: SQL injection in graph.php

Date: Thu, 10 Dec 2015 19:42:01 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: cacti
Version: 0.8.8f+ds1-2
Severity: important
Tags: security

The following vulnerability was published for Cacti. CVE identifier
CVE-2015-8369 was assigned for this isssue.

http://bugs.cacti.net/view.php?id=2646

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWablpAAoJECet96ROqnV0nDkP/RmJDjtLJideZAd043gH7mou
deiq7v9Aqto22JEARrT9ACbmdcEZGzyI3qH8b5b2s8aZ/BcyixKzjb00m/+nlfQv
dOGXMtf3Zf6YjiPU03hoHUvPN4RTtPX1ZKxDYo/2C2r0pt6IiRyS2C5Z7TntH/5x
VKTUp7aQ4K6mgqhKhNN5IIEG3hEByGoQjcudmscdeGqUeBSYFIsO7Wcu1sfqgi3s
C8XwYlpIKEeD5iJlMlU0d0Cpy5JGKuRmosoZhy1MpkKaqMziDMUS/5q0MjYncGUt
CS1Jdt7c6MnGmGJU4+r0f9c2ChT0876oPEczKzOV8I/hp1v1YLl1ez/yB8E2yABY
W2HOLMB39rguWhy9eFP6xpgyWMrAzJ7FRwBlG9/BUJPPVxkTbKnyIVOnV5K/B/hA
W/2QFlTalSyfZdZil4KdIjfpvgZkFn6T40Wa5R9jfP1QYpm+Qp0rffhWsuX5aJ0t
bZIdAkd5kFGmErFXrgkeynsPb+CGyxZFaECMM/JC25iq/IU71pN7OzIftWuq4him
92BnwPlc5LdbxoRxB6ACyeu+afbxcd9qs5uUU41cEl8lXoEwUDrvDB+kr31n0ofm
DcwXwMHcO9/RNyG4LSwSKxzMOaDttDBXLQfjsvD1hs+6xhPAFAMKl08087jg76Af
z113OhX5hN+TSEBKh65S
=FoV7
-----END PGP SIGNATURE-----

Message #14 received at 807599-done@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599-done@bugs.debian.org

Subject: Re: cacti_0.8.8f+ds1-3_source.changes ACCEPTED into unstable

Date: Sat, 12 Dec 2015 21:12:13 +0100

[Message part 1 (text/plain, inline)]

Version: cacti_0.8.8f+ds1-3

Oops, should have added the bug number in the changelog.

Paul

On 12-12-15 16:49, Debian FTP Masters wrote:
> 
> 
> Accepted:
> 
> Format: 1.8
> Date: Sat, 12 Dec 2015 14:03:40 +0100
> Source: cacti
> Binary: cacti
> Architecture: source
> Version: 0.8.8f+ds1-3
> Distribution: unstable
> Urgency: high
> Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
> Changed-By: Paul Gevers <elbrus@debian.org>
> Description:
>  cacti      - web interface for graphing of monitoring systems
> Changes:
>  cacti (0.8.8f+ds1-3) unstable; urgency=high
>  .
>    * Add upstream patch to fix
>      - CVE-2015-8369 SQL Injection vulnerability in graph.php
> Checksums-Sha1:
>  0e3effa604919160a9c50ddb572ea522592c72d3 1591 cacti_0.8.8f+ds1-3.dsc
>  cfe129d32c3b5da91661113972ae4ad91ae25a9f 48644 cacti_0.8.8f+ds1-3.debian.tar.xz
> Checksums-Sha256:
>  431ae3d2f481148dde2c6f85f62d8d156c9bf4fb735aee137815b810e919616b 1591 cacti_0.8.8f+ds1-3.dsc
>  5f0357cc6cf682c9bd51d0bec56e4492a6b024e2bc6cc4134fc561ab9347ea3e 48644 cacti_0.8.8f+ds1-3.debian.tar.xz
> Files:
>  9357808f53f18c90ad443df3ab2dc66f 1591 web extra cacti_0.8.8f+ds1-3.dsc
>  f60b687f3cc8586452e59a04adc5fc83 48644 web extra cacti_0.8.8f+ds1-3.debian.tar.xz
> 
> 
> 
> Thank you for your contribution to Debian.
> 

[signature.asc (application/pgp-signature, attachment)]

Message #23 received at 807599@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [cacti/debian-jessie] Add patch for CVE-2015-8369: sql injection in graph.php

Date: Sun, 13 Dec 2015 20:34:31 +0000

tag 807599 pending
thanks

Date: Sat Dec 12 14:03:31 2015 +0100
Author: Paul Gevers <elbrus@debian.org>
Commit ID: 65f5aaad0dfb47204a25d3a95cbe202c35b48cfc
Commit URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff;h=65f5aaad0dfb47204a25d3a95cbe202c35b48cfc
Patch URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff_plain;h=65f5aaad0dfb47204a25d3a95cbe202c35b48cfc

    Add patch for CVE-2015-8369: sql injection in graph.php

    Closes: #807599
      

Message #28 received at 807599@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [cacti/debian-wheezy] Add patch for CVE-2015-8369: sql injection in graph.php

Date: Sun, 13 Dec 2015 20:34:31 +0000

tag 807599 pending
thanks

Date: Sat Dec 12 14:03:31 2015 +0100
Author: Paul Gevers <elbrus@debian.org>
Commit ID: aec07299fe1dd22da7fc164d5f1db6e0eb2f56e9
Commit URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff;h=aec07299fe1dd22da7fc164d5f1db6e0eb2f56e9
Patch URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff_plain;h=aec07299fe1dd22da7fc164d5f1db6e0eb2f56e9

    Add patch for CVE-2015-8369: sql injection in graph.php

    Closes: #807599
      

Message #33 received at 807599@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [cacti/debian-sid] Add patch for CVE-2015-8369: sql injection in graph.php

Date: Sun, 13 Dec 2015 20:34:31 +0000

tag 807599 pending
thanks

Date: Sat Dec 12 14:03:31 2015 +0100
Author: Paul Gevers <elbrus@debian.org>
Commit ID: e22634aaaa35b57261e668248821e8c0aeed9b42
Commit URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff;h=e22634aaaa35b57261e668248821e8c0aeed9b42
Patch URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff_plain;h=e22634aaaa35b57261e668248821e8c0aeed9b42

    Add patch for CVE-2015-8369: sql injection in graph.php

    Closes: #807599
      

Message #40 received at 807599-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599-close@bugs.debian.org

Subject: Bug#807599: fixed in cacti 0.8.8b+dfsg-8+deb8u3

Date: Sun, 20 Dec 2015 18:02:07 +0000

Source: cacti
Source-Version: 0.8.8b+dfsg-8+deb8u3

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Dec 2015 21:08:55 +0100
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-8+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 807599
Changes:
 cacti (0.8.8b+dfsg-8+deb8u3) jessie-security; urgency=high
 .
   * Add upstream patch to fix (Closes: #807599)
     - CVE-2015-8369 SQL Injection vulnerability in graph.php
Checksums-Sha1:
 820351ad00af38e9cee5efc638b418f79fb2c1c1 1666 cacti_0.8.8b+dfsg-8+deb8u3.dsc
 3e1ca4403fdbdfca9e213e9d5282119fe1a40d6e 114752 cacti_0.8.8b+dfsg-8+deb8u3.debian.tar.xz
 971b12f134c85f1e515edb5ff2d530f807950283 1894486 cacti_0.8.8b+dfsg-8+deb8u3_all.deb
Checksums-Sha256:
 3eb721fdb6aaaa0fbf5c055c72ae63a0828011ad890da2b8e9a99b2a77fd73b1 1666 cacti_0.8.8b+dfsg-8+deb8u3.dsc
 0881091897454584f71c0ce3872056d04b7e25af70e10195eac6a7037cb1f61e 114752 cacti_0.8.8b+dfsg-8+deb8u3.debian.tar.xz
 a78b7c21c96a26313c6d9b5823f4395fb79322d011552d58658142cfdafe2993 1894486 cacti_0.8.8b+dfsg-8+deb8u3_all.deb
Files:
 18e8b266e1b53add261f1340dff43742 1666 web extra cacti_0.8.8b+dfsg-8+deb8u3.dsc
 efd5a882b199c5d95ec139d215a218d9 114752 web extra cacti_0.8.8b+dfsg-8+deb8u3.debian.tar.xz
 33ba46abed654ca6534cf9195085ef0f 1894486 web extra cacti_0.8.8b+dfsg-8+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWbxUqAAoJEJxcmesFvXUKVrcIAMiqmYrYnXeHodkcb3WzFzR6
FTL7fZWsJLKGktpdwSkjgMd/A6PWAG8oIenUq0EOS9R72Emt0D4L3Ff25sSO4gCg
4GdNVe2yJ87fO+Ca1t9RZQxDrgfSvTcw+5Qee+sJdbSBtCFzVZqMuGnD/+0nUHC/
vuX6K0Qgn/oQyCIDeWmXe87qV1/7MckphNGEuFStSLrR+eG06tuuBfmeKHb8S7cR
1efuTqISxx/xV4FwGSnoBAatIxsZd1wpxvcMIhi/lFZmrg40sEeSej/fo+Q1Rz8Q
InnzNKHsvr55eKt0PnDxrm+sa+WwgkPtzyLEpfU36R98YTyDpz8Rl0v0iOyF3Ug=
=BAN7
-----END PGP SIGNATURE-----

Message #45 received at 807599-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 807599-close@bugs.debian.org

Subject: Bug#807599: fixed in cacti 0.8.8a+dfsg-5+deb7u7

Date: Sun, 20 Dec 2015 18:07:40 +0000

Source: cacti
Source-Version: 0.8.8a+dfsg-5+deb7u7

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Dec 2015 21:24:23 +0100
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8a+dfsg-5+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description: 
 cacti      - web interface for graphing of monitoring systems
Closes: 807599
Changes: 
 cacti (0.8.8a+dfsg-5+deb7u7) wheezy-security; urgency=high
 .
   * Add upstream patch to fix (Closes: #807599)
     - CVE-2015-8369 SQL Injection vulnerability in graph.php
Checksums-Sha1: 
 5e02775aefebac18ee559f075cfaa386db219ec8 1666 cacti_0.8.8a+dfsg-5+deb7u7.dsc
 aaa44fdc280e3b424db77a27d606f61ab1516a40 135989 cacti_0.8.8a+dfsg-5+deb7u7.debian.tar.gz
 0d880fa2a0fbe6b2112142f9d5dd8f96d314ccd8 2152916 cacti_0.8.8a+dfsg-5+deb7u7_all.deb
Checksums-Sha256: 
 c75b941b356d0b875261defa1d349eca60a11182e270a89d1153a3653a4505f1 1666 cacti_0.8.8a+dfsg-5+deb7u7.dsc
 9d6a6160c2e590f8a849a5143eafdc165d4127cff525501c4f1b034d52157e43 135989 cacti_0.8.8a+dfsg-5+deb7u7.debian.tar.gz
 9ad4c407644ec6a731923fd83ccfe807c1a9a8f863b063455fb74f22a1887a1d 2152916 cacti_0.8.8a+dfsg-5+deb7u7_all.deb
Files: 
 12052fc7153535b516ef1ae1ec4457ce 1666 web extra cacti_0.8.8a+dfsg-5+deb7u7.dsc
 c054c3acf573852c0b096302b178df16 135989 web extra cacti_0.8.8a+dfsg-5+deb7u7.debian.tar.gz
 6ea8ac73b2c816f35ddaba48202b4330 2152916 web extra cacti_0.8.8a+dfsg-5+deb7u7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWbxWoAAoJEJxcmesFvXUKiCMH/1r5nHQmOUDnmYAOn8pOJnoO
mT370m/vCpZEsGbXZnXvNJTm7o7tjKFXCNNen2R1DNpnGT4xDbL4MK1Tbqp+3SEJ
8LjG8nr96bgqUNFqZNdipGcEtlYvK8VjCNPlmteL1CkQ8Ag+rL4MKPYHs7xbyqkq
zPqHvHPc3SNoq8Z+X8h4OaLOg8cKR7buunMQjlBepH5qGTZt+vBMl+8pZr0/LDkH
OGzKRSYWwd8eeP3geTAicx8A4qxyH4YLVx+A4IB+XaoDN72u9n8T30RvScL+J1mB
B86YFyE09WNZdVSDAzGHSdMNbCdPccxO5LRlzeiGwPEdIqbs0HYcBlumHTFTapo=
=nD0B
-----END PGP SIGNATURE-----

Message #50 received at 807599-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 807599-close@bugs.debian.org

Subject: Bug#807599: fixed in cacti 0.8.7g-1+squeeze9+deb6u11

Date: Sat, 26 Dec 2015 13:49:25 +0000

Source: cacti
Source-Version: 0.8.7g-1+squeeze9+deb6u11

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 26 Dec 2015 12:53:42 +0000
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze9+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 807599
Changes: 
 cacti (0.8.7g-1+squeeze9+deb6u11) squeeze-lts; urgency=high
 .
   * CVE-2015-8369: Fix SQL Injection vulnerability in graph.php
     (Closes: #807599)
   * CVE-2015-8377: Fix SQL Injection vulnerability in graph_new.php.
Checksums-Sha1: 
 bddd60412c69c4e1b7a86e0bbc55eddbca3cdc55 1804 cacti_0.8.7g-1+squeeze9+deb6u11.dsc
 a5a710653e158b1bc950de0a1e2c60ee364bf782 2236916 cacti_0.8.7g.orig.tar.gz
 89efcc31000d58a9f2774f8565c449bb5291f947 74050 cacti_0.8.7g-1+squeeze9+deb6u11.diff.gz
 39a85759f07481877122546890699b5a77019af6 2103088 cacti_0.8.7g-1+squeeze9+deb6u11_all.deb
Checksums-Sha256: 
 303801fed5a81338cc39ffe6da14b1d19da352d2e4dc1cb36f23b4ba4e5ec3b4 1804 cacti_0.8.7g-1+squeeze9+deb6u11.dsc
 d09b3bf54f51bd42b2db0a62521cf6e408716978f75d6509ec56027c49c44585 2236916 cacti_0.8.7g.orig.tar.gz
 04613910e3bbbf92630be352ea671845963dddda509d523cbc925ed1039c267c 74050 cacti_0.8.7g-1+squeeze9+deb6u11.diff.gz
 1bcdad6b25e7e3c671c1d5e43b2e5037629fa8596f5da5093228008b8c52f202 2103088 cacti_0.8.7g-1+squeeze9+deb6u11_all.deb
Files: 
 7a77c89ce7f437a091e9c0dd41941bf6 1804 web extra cacti_0.8.7g-1+squeeze9+deb6u11.dsc
 268421cb1a58d3444f7ecbddb4c4b016 2236916 web extra cacti_0.8.7g.orig.tar.gz
 ba6fb190e44e36250e9716defb4323b0 74050 web extra cacti_0.8.7g-1+squeeze9+deb6u11.diff.gz
 330748584de0b6588c2aaadfdfdd9860 2103088 web extra cacti_0.8.7g-1+squeeze9+deb6u11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWfpMXAAoJEB6VPifUMR5YxO0QALzvItH+H3P8BIcJRQa9vE8V
xNCx9NnbNgupWUPxXhQGKSofiGG6IQY/9DXUQFz5Shxw+eqetWcTklX41Nr4z4iQ
CG/PD4Sqmirz3HxAVV83778qcoX+zCHyqp6dxstZa4SoHzeW8wMcgPAZ/N1GEuUx
dIhEx8ZKSvi7aAJMK1fzwd7O2N1Gd6PbynVTBTvWerAfelClLFHMzKiBORTeNmoW
Mz2jnSgcLn5xCBmvCw5bYctpMmYVqKkIfBtp+WEM2eG61CCflWdJc0J9X93IdQum
zTtnK3M2Okw/TGPBnAP1jLh9Uav5ykXGCJT+LpDc+ZgHcF4e12/7pff9MY1WOGzw
oM4+26jfoOzVShXLbnU1AQpDjo6tSonXT4t/smqPK5RaXWSQi1zZtOMIF4TCT6Rp
7pbYq4+oTYOT+9aAzWD5yT/8QqU2v2BMQGAZbJ5qSDg6SP9oPEciXlAnwhNOu1G3
W1UQlwwscQR9fz9MGznBVdjaVT+mOnxqIPkagv90JzgKarg6IynY1ckeR3LbvZat
PLnq7wTluhURM2TI844Scdfa3qhhf5ScyWIedOHaBqwqBMLkhQE+dyM+PMHMCSod
uIL8ybBN2EKBVwrZVkr0oTw6vTpXLIGEvkldNRvZOt5PpWJNb0ocIv/Wu3foDNkb
NkeN7nkTsXhjRiptQIWf
=LZKV
-----END PGP SIGNATURE-----

Message #57 received at 807599@bugs.debian.org (full text, mbox, reply):

From: Marcel Meckel <debian@thermoman.de>

To: 807599@bugs.debian.org

Subject: Broken cacti image on 0.8.7g-1+squeeze9+deb6u11

Date: Mon, 28 Dec 2015 11:43:33 +0100

Hi,

the build 0.8.7g-1+squeeze9+deb6u11 on Squeeze LTS has the bug fixed - 
because now it's broken!

Request the URL

  
http://example.com/cacti/graph.php?action=view&local_graph_id=3171&rra_id=all

And you'll get the error:

  PHP Fatal error:  Call to undefined function 
input_validate_input_regex() in /usr/share/cacti/site/graph.php on line 
31

This is no wonder because /usr/share/cacti/site/graph.php looks like:

<?php

/* set default action */
if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = "view"; }
if (!isset($_REQUEST["view_type"])) { $_REQUEST["view_type"] = ""; }

$guest_account = true;
/* ================= input validation ================= */
input_validate_input_regex(get_request_var_request("rra_id"), 
"^([0-9]+|all)$");
input_validate_input_number(get_request_var_request("local_graph_id"));
input_validate_input_number(get_request_var_request("graph_end"));
input_validate_input_number(get_request_var_request("graph_start"));
input_validate_input_regex(get_request_var_request("view_type"), 
"^([a-zA-Z0-9]+)$");
/* ==================================================== */

include("./include/auth.php");
include_once("./lib/rrd.php");
include_once("./lib/html_tree.php");
include_once("./include/top_graph_header.php");

[..]



There is no function 'input_validate_input_regex' defined not any 
include done
before on line 31 input_validate_input_regex is used.

This is very dangerous because one could think moving the 4 lines 
include block before
the first input_validate_input_ line *reopens* the sql injection!

Please fix this and test afterwards with the URL

  
http://example.com/cacti/graph.php?action=properties&local_graph_id=3363&rra_id=1 
and benchmark(20000000%2csha1(1))-- 
&view_type=tree&graph_start=1449752140&graph_end=1449838540

Message #62 received at 807599@bugs.debian.org (full text, mbox, reply):

From: Marcel Meckel <debian@thermoman.de>

To: 807599@bugs.debian.org

Subject: Fix for broken cacti image on 0.8.7g-1+squeeze9+deb6u11

Date: Mon, 28 Dec 2015 11:47:51 +0100

The much better solution to fix this would be keeping the
include block over the input_validate_* calls in graph.php
(which without more modifications would reopen the sql injection vuln)
and then fix this in

  /usr/share/cacti/site/include/top_graph_header.php

where you just have to add the line

  input_validate_input_regex(get_request_var("rra_id"), 
"^([0-9]+|all)$");

in the input validation block.

Message #67 received at 807599-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 807599-close@bugs.debian.org

Subject: Bug#807599: fixed in cacti 0.8.7g-1+squeeze9+deb6u13

Date: Mon, 04 Jan 2016 12:20:25 +0000

Source: cacti
Source-Version: 0.8.7g-1+squeeze9+deb6u13

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Jan 2016 11:37:24 +0000
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze9+deb6u13
Distribution: squeeze-lts
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 807599 809260
Changes: 
 cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high
 .
   * Correct yet another regression in patch for CVE-2015-8369, introduced in
     0.8.7g-1+squeeze9+deb6u12. Thanks to Marcel Meckel <debian@thermoman.de>
     (Closes: #809260, #807599)
Checksums-Sha1: 
 75b63fbf05d95ebe971234ab996c3bdf883252c0 1804 cacti_0.8.7g-1+squeeze9+deb6u13.dsc
 a5a710653e158b1bc950de0a1e2c60ee364bf782 2236916 cacti_0.8.7g.orig.tar.gz
 80caa2da964794c63c779602f0b84d2162cc667a 74415 cacti_0.8.7g-1+squeeze9+deb6u13.diff.gz
 5acda7659b545c46706c9b4fff5b647bd84edc30 2103244 cacti_0.8.7g-1+squeeze9+deb6u13_all.deb
Checksums-Sha256: 
 eca202ea78a2a2091d21ec4cf319a975d74b7d84a4c4f3cd8af9976f3d1982e3 1804 cacti_0.8.7g-1+squeeze9+deb6u13.dsc
 d09b3bf54f51bd42b2db0a62521cf6e408716978f75d6509ec56027c49c44585 2236916 cacti_0.8.7g.orig.tar.gz
 bd241b2f55c8763f86181ffdd030294485539ec90b846fba7868efb772a9f251 74415 cacti_0.8.7g-1+squeeze9+deb6u13.diff.gz
 06dc316f3deac06429d5563fc6dc102ea4bd1ea973c9f978bf5e40e87f97cc0e 2103244 cacti_0.8.7g-1+squeeze9+deb6u13_all.deb
Files: 
 196e9b4a676e0f1a141de77b7d926b1d 1804 web extra cacti_0.8.7g-1+squeeze9+deb6u13.dsc
 268421cb1a58d3444f7ecbddb4c4b016 2236916 web extra cacti_0.8.7g.orig.tar.gz
 6554863c748a7110700c7d5f5da9ff1d 74415 web extra cacti_0.8.7g-1+squeeze9+deb6u13.diff.gz
 45da56084a03c03c70fef375b66edf0f 2103244 web extra cacti_0.8.7g-1+squeeze9+deb6u13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWil1dAAoJEB6VPifUMR5Yr0MP/1ZXhCtGszSZLneqYYe99zrY
Dnzh4sokdTg6IoWhQ6tH070c7xemtmO+f/F0u1GD1xS7xRO16hLAQst34Gs7j8Lq
5cD3INqo1hL2iMi2yC6Rv1F5GQ6EB/Nt6XA8FBZdNqM4tcogNHqQ9z8Ly3GH5e51
Mac33HtDizW3ZuONHtU6VKtCovbH51k0wS9w5Zqw8B7FJrgmK1v5AD8u1Fp4PCZl
KYhJpl/nxaDhBAhSHEcS18LIpJv/SQqQdynzPcNFpT8xPLcm3gIlM5EE9UsmEDR8
Sitywi3FS7PJ8qEeOvCW49x6EWOXniWwYzs2AMTBwZdbi4lhEVDOu6m6iomytAvi
vsxYT4mxpQuUKNzsihN7LYJdPJOgleleN6FlV1X2Fg/i+AWaDFqtn0/NjWPGvK6h
aBlwRPxG4AD/hebnechxbW6zAcXhOwCJwQJ6CnEA4Yr6Nsm4fL1N8tZ3/jz2dJzo
qSjbPqcS4QE+jlkMcaFBXR97nTtRbYFVpew89GvokiceRGJvG8jPYjGI1r0TL/13
9fO58WBQZzKBEDioCQSIO30flcMcnsqZnEAHzj/QtBecPX1rXkXqEHKq4Yi2PAh5
zsZJACyZLD6UpUSsgBEW2o3o5Ja9rg7bWNdAWjq1aMCk4R/3e5T9wPs8uN9foj6R
gCmMI3eMsbpwDlJ1mBxU
=FgYj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.