Version in base suite: 1.2.24+ds1-1+deb12u4 Base version: cacti_1.2.24+ds1-1+deb12u4 Target version: cacti_1.2.24+ds1-1+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cacti/cacti_1.2.24+ds1-1+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cacti/cacti_1.2.24+ds1-1+deb12u5.dsc changelog | 60 +++ patches/0036-CVE-2024-27082.patch | 36 ++ patches/CVE-2024-43362.patch | 48 ++ patches/CVE-2024-43363.patch | 77 ++++ patches/CVE-2024-43364-1.patch | 27 + patches/CVE-2024-43364-2.patch | 25 + patches/CVE-2024-45598-fix.patch | 24 + patches/CVE-2024-45598_to_CVE-2025-24368.patch | 405 +++++++++++++++++++++++++ patches/CVE-2025-22604_pre1.patch | 74 ++++ patches/series | 8 10 files changed, 784 insertions(+) diff -Nru cacti-1.2.24+ds1/debian/changelog cacti-1.2.24+ds1/debian/changelog --- cacti-1.2.24+ds1/debian/changelog 2024-08-24 14:04:49.000000000 +0000 +++ cacti-1.2.24+ds1/debian/changelog 2025-02-09 14:36:48.000000000 +0000 @@ -1,3 +1,63 @@ +cacti (1.2.24+ds1-1+deb12u5) bookworm-security; urgency=medium + + * Non-maintainer upload by the Security Team. + * Fix CVE-2024-27082: Stored XSS vulnerability. + * Fix CVE-2024-43362: XSS (Cross-Site Scripting) Vulnerability. + The `fileurl` parameter is not properly sanitized when + saving external links in `links.php` . Morever, the said + fileurl is placed in some html code which is passed to + the `print` function in `link.php` and `index.php`, + finally leading to stored XSS + * Fix CVE-2024-43363: Remote Code Execution (RCE) by + log poisoning. An admin user can create a device with + a malicious hostname containing php code and repeat + the installation process to use a php file as the + cacti log file. After having the malicious hostname end + up in the logs (log poisoning), one can simply go to the + log file url to execute commands to achieve RCE. + * Fix CVE-2024-43364: Stored XSS (Cross-Site Scripting) Vulnerability. + The `title` parameter is not properly sanitized when + saving external links in links.php . Morever, the said + title parameter is stored in the database and reflected back + to user in index.php, finally leading to stored XSS. + * Fix CVE-2024-43365: Stored XSS (Cross-Site Scripting) Vulnerability. + The`consolenewsection` parameter is not properly sanitized + when saving external links in links.php . Morever, the said + consolenewsection parameter is stored in the database and + reflected back to user in `index.php`, finally leading + to stored XSS. + * Fix CVE-2024-45598: Local File Inclusion (LFI) Vulnerability + via Poller Standard Error Log Path. + An admin can change Poller Standard Error Log Path parameter in + either Installation Step 5 or in Configuration->Settings->Paths tab + to a local file inside the server. Then simply going to Logs tab and + selecting the name of the local file will show its content + on the web UI. + * Fix CVE-2024-54145: SQL Injection vulnerability when request + automation devices. + A SQL injection vulnerability in get_discovery_results function + of automation_devices.php.paramter networkconcat into + sql_wherewithout Sufficient filtration. + * Fix CVE-2025-22604: Authenticated RCE via multi-line SNMP responses + Due to a flaw in multi-line SNMP result parser, authenticated users + can inject malformed OIDs in the response. When processed by + ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each + OID will be used as a key in an array that is used as part of a + system command, causing a command execution vulnerability. + * Fix CVE-2025-24367: Arbitrary File Creation leading to RCE + An authenticated Cacti user can abuse graph creation and graph + template functionality to create arbitrary PHP scripts in the + web root of the application, leading to remote code + execution on the server. + * Fix CVE-2025-24368: SQL Injection vulnerability when using + tree rules through Automation API + Some of the data stored in automation_tree_rules.php is not + thoroughly checked and is used to concatenate the SQL statement in + build_rule_item_filter() function from lib/api_automation.php ,* + finally resulting in SQL injection. + + -- Bastien Roucariès Sun, 09 Feb 2025 14:36:48 +0000 + cacti (1.2.24+ds1-1+deb12u4) bookworm; urgency=medium * Non-maintainer upload by the LTS Security Team. diff -Nru cacti-1.2.24+ds1/debian/patches/0036-CVE-2024-27082.patch cacti-1.2.24+ds1/debian/patches/0036-CVE-2024-27082.patch --- cacti-1.2.24+ds1/debian/patches/0036-CVE-2024-27082.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/0036-CVE-2024-27082.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 8 Sep 2024 14:18:24 +0000 +Subject: CVE-2024-27082 + +In this report, I have identified a security vulnerability in the +Cacti web system that enables malicious actors to exploit it. This +type of vulnerability falls under the category of Stored XSS. Stored +XSS is one of the fundamental aspects of information security, and +vulnerabilities in this area can lead to unauthorized access to +sensitive information or critical resources Cookie. + +This vulnerability is associated with the Stored XSS process in the +system. When a user logs in with high-level permissions,It has the +ability to implement XSS Stored vulnerability and can exploit this +vulnerability. + +origin: https://github.com/Cacti/cacti/commit/593ca99b7716acdaa6f6149b89662de9312376ef +bug-github-GHSA: https://github.com/Cacti/cacti/security/advisories/GHSA-j868-7vjp-rp9h +bug: https://github.com/Cacti/cacti/issues/5798 +--- + tree.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tree.php b/tree.php +index 8624a1f..43b4e68 100644 +--- a/tree.php ++++ b/tree.php +@@ -1478,7 +1478,7 @@ function tree_edit($partial = false) { + // as they would have been. + if ($(id).hasClass('jstree')) { + $(id).find('.jstree-node').each(function() { +- var text = $(this).find('.jstree-anchor').text(); ++ var text = DOMPurify.sanitize($(this).find('.jstree-anchor').text()); + var id = $(this).attr('id'); + var jsdata = $(this).attr('data-jstree'); + diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-43362.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-43362.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-43362.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-43362.patch 2025-02-07 20:19:59.000000000 +0000 @@ -0,0 +1,48 @@ +From: TheWitness +Date: Sun, 4 Aug 2024 11:27:08 -0400 +Subject: CVE-2024-43362 + +origin: backport, https://github.com/Cacti/cacti/commit/3f64e7c1a63e36d0e826c34f05ad20b6683b27ff +bug: https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c +--- + link.php | 8 +++++++- + links.php | 7 ++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/link.php b/link.php +index 730879b..de83c87 100644 +--- a/link.php ++++ b/link.php +@@ -72,7 +72,13 @@ if (!cacti_sizeof($page)) { + } + + if (preg_match('/^((((ht|f)tp(s?))\:\/\/){1}\S+)/i', $page['contentfile'])) { +- print ''; ++ if (filter_var($page['contentfile'], FILTER_VALIDATE_URL)) { ++ print ''; ++ } else { ++ $message = __esc("External Link ID '%s' with Title '%s' attempted to inject an invalid URL and was blocked!", $page['id'], $page['title']); ++ cacti_log($message, false, 'SECURITY'); ++ raise_message('invalid_url', $message, MESSAGE_LEVEL_ERROR); ++ } + } else { + print '
'; + +diff --git a/links.php b/links.php +index a00c37c..d3ae126 100644 +--- a/links.php ++++ b/links.php +@@ -69,7 +69,12 @@ case 'save': + $save['refresh'] = form_input_validate(get_nfilter_request_var('refresh'), 'refresh', '^[0-9]+$', false, 3); + + if (preg_match('/^((((ht|f)tp(s?))\:\/\/){1}\S+)/i', get_nfilter_request_var('fileurl')) && get_nfilter_request_var('filename') == '0') { +- $save['contentfile'] = get_nfilter_request_var('fileurl'); ++ if (filter_var(get_nfilter_request_var('fileurl'), FILTER_VALIDATE_URL)) { ++ $save['contentfile'] = get_nfilter_request_var('fileurl'); ++ } else { ++ $_SESSION['sess_error_fields']['contentfile'] = 'contentfile'; ++ raise_message('badurl', __('Your contentfile is not a valid URL. Please enter a value URL'), MESSAGE_LEVEL_ERROR); ++ } + } else { + $save['contentfile'] = preg_replace('/[^A-Za-z0-9_\.-]/','_', get_nfilter_request_var('filename')); + } diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-43363.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-43363.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-43363.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-43363.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,77 @@ +From: TheWitness +Date: Sun, 4 Aug 2024 11:51:37 -0400 +Subject: CVE-2024-43363 Fixing a possible user directed RCE when installing + Cacti + +[backport] +set_install_config_option was introduced in https://github.com/Cacti/cacti/commit/5f78605e28a7a2a4fd4428934f73b207284d753b +previously call set_config_option patch this function + +origin: backport, https://github.com/Cacti/cacti/commit/3adc71a2b97506bf26c21935e1e6f30d58fe88e3 +bug: https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4 +--- + install/functions.php | 8 +++++--- + lib/functions.php | 15 +++++++++++++++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/install/functions.php b/install/functions.php +index 3424eec..fe317f7 100644 +--- a/install/functions.php ++++ b/install/functions.php +@@ -601,15 +601,15 @@ function install_tool_path($name, $defaultPaths) { + ); + + log_install_debug('file', "$name: Locations ($os), Paths: " . clean_up_lines(var_export($defaultPaths, true))); +- if (isset($settings) && isset($settings['path']) && isset($settings['path']['path_'.$name])) { +- $tool = $settings['path']['path_'.$name]; ++ if (isset($settings) && isset($settings['path']) && isset($settings['path']['path_' . $name])) { ++ $tool = $settings['path']['path_' . $name]; + } elseif (isset($settings) && isset($settings['mail']) && isset($settings['mail'][$name])) { + $tool = $settings['mail'][$name]; + } + + $which_tool = ''; + if (config_value_exists('path_' . $name)) { +- $which_tool = read_config_option('path_'.$name, true); ++ $which_tool = read_config_option('path_' . $name, true); + log_install_high('file', "Using config location: $which_tool"); + } + +@@ -1093,9 +1093,11 @@ function install_full_sync() { + AND disabled = ""'); + + log_install_always('sync', 'Found ' . cacti_sizeof($pollers) . ' poller(s) to sync'); ++ + if (cacti_sizeof($pollers)) { + foreach($pollers as $poller) { + log_install_debug('sync', 'Poller ' . $poller['id'] . ' has a status of ' . $poller['status'] . ' with gap ' . $poller['gap']); ++ + if (($poller['status'] == POLLER_STATUS_NEW) || + ($poller['status'] == POLLER_STATUS_DOWN) || + ($poller['status'] == POLLER_STATUS_DISABLED)) { +diff --git a/lib/functions.php b/lib/functions.php +index d8460a3..b80c4b3 100644 +--- a/lib/functions.php ++++ b/lib/functions.php +@@ -417,6 +417,21 @@ function set_config_option($config_name, $value, $remote = false) { + + include_once($config['base_path'] . '/lib/poller.php'); + ++ /* some additional extension checks */ ++ switch($config_name) { ++ case 'path_cactilog': ++ $extension = pathinfo($value, PATHINFO_EXTENSION); ++ if ($extension != 'log') { ++ $value = $config['base_path'] . '/log/cacti.log'; ++ } ++ break; ++ case 'path_stderrlog': ++ $extension = pathinfo($value, PATHINFO_EXTENSION); ++ if ($extension != 'log') { ++ $value = $config['base_path'] . '/log/cacti.stderr.log'; ++ } ++ break; ++ } + db_execute_prepared('REPLACE INTO settings + SET name = ?, value = ?', + array($config_name, $value)); diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-1.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-1.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-1.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,27 @@ +From: TheWitness +Date: Sun, 4 Aug 2024 11:08:10 -0400 +Subject: CVE-2024-43364 [1/2] + +QA: Security issue associated with external links + +origin: backport, https://github.com/Cacti/cacti/commit/e03f605dca8da56ecc7d321103a5842cd32007b0 +bug: https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5 +--- + include/global_arrays.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/global_arrays.php b/include/global_arrays.php +index 8768740..be5db20 100644 +--- a/include/global_arrays.php ++++ b/include/global_arrays.php +@@ -1091,8 +1091,8 @@ if ((isset($_SESSION['sess_user_id']))) { + if (cacti_sizeof($consoles)) { + foreach ($consoles as $page) { + if (!$config['is_web'] || is_realm_allowed($page['id']+10000)) { +- $menuname = (isset($page['extendedstyle']) && $page['extendedstyle'] != '' ? $page['extendedstyle'] : __('External Links')); +- $menu[$menuname]['link.php?id=' . $page['id']] = $page['title']; ++ $menuname = (isset($page['extendedstyle']) && $page['extendedstyle'] != '' ? html_escape($page['extendedstyle']) : __('External Links')); ++ $menu[$menuname]['link.php?id=' . $page['id']] = html_escape($page['title']); + } + } + } diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-2.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-2.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-43364-2.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,25 @@ +From: TheWitness +Date: Sun, 4 Aug 2024 10:58:43 -0400 +Subject: CVE-2024-43364 [2/2] + +Fixing minor security issue + +origin: backport, https://github.com/Cacti/cacti/commit/059d107fade96cde3743f1e2d444ce52beb92321 +bug: https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5 +--- + lib/html.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/html.php b/lib/html.php +index 11827c8..a2d2d6a 100644 +--- a/lib/html.php ++++ b/lib/html.php +@@ -1767,7 +1767,7 @@ function html_show_tabs_left() { + } + } + +- print '' . $tab['title'] . ''; ++ print '' . html_escape($tab['title']) . ''; + } + } + } diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-45598-fix.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-45598-fix.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-45598-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-45598-fix.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,24 @@ +From: TheWitness +Date: Sun, 25 Aug 2024 18:21:41 -0400 +Subject: QA: Additional change relative to GHSA-pv2c-97pp-vxwg + +Thanks to @TayfunYelim for identifying this. + +origin: https://github.com/Cacti/cacti/commit/eca52c6bb3e76c55d66b1040baa6dbf37471a0ae +--- + settings.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/settings.php b/settings.php +index fab3e75..cd6d3f1 100644 +--- a/settings.php ++++ b/settings.php +@@ -100,7 +100,7 @@ case 'save': + } else { + $continue = true; + +- if ($field_name == 'path_cactilog') { ++ if ($field_name == 'path_cactilog' || $field_name == 'path_stderrlog') { + $extension = pathinfo(get_nfilter_request_var($field_name), PATHINFO_EXTENSION); + + if ($extension != 'log') { diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2024-45598_to_CVE-2025-24368.patch cacti-1.2.24+ds1/debian/patches/CVE-2024-45598_to_CVE-2025-24368.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2024-45598_to_CVE-2025-24368.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2024-45598_to_CVE-2025-24368.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,405 @@ +From: TheWitness +Date: Sun, 26 Jan 2025 12:53:31 -0500 +Subject: QA: 1.2.29 Security Updates (#6074) + +This fix CVE-2024-45598, CVE-2024-54145, CVE-2025-22604, CVE-2025-24367, CVE-2025-24368 + +bug-CVE-2024-45598: https://github.com/Cacti/cacti/security/advisories/GHSA-pv2c-97pp-vxwg +bug-CVE-2024-54145: https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp +bug-CVE-2025-22604: https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36 +bug-CVE-2025-24367: https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq +bug-CVE-2025-24368: https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c + +origin: backport, https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 +origin: backport, https://github.com/Cacti/cacti/commit/94526a92b96c01848748602977819cd403932f0a +--- + automation_devices.php | 66 ++++++++++++++++++++++---------------- + automation_graph_rules.php | 13 ++++++++ + automation_tree_rules.php | 13 ++++++++ + lib/functions.php | 19 +++++++---- + lib/html_validate.php | 2 +- + lib/snmp.php | 47 +++++++++++++++++++++++---- + scripts/ss_net_snmp_disk_bytes.php | 4 +-- + scripts/ss_net_snmp_disk_io.php | 4 +-- + 8 files changed, 123 insertions(+), 45 deletions(-) + +diff --git a/automation_devices.php b/automation_devices.php +index de20b53..f4f1d52 100644 +--- a/automation_devices.php ++++ b/automation_devices.php +@@ -345,45 +345,44 @@ function process_request_vars() { + 'filter' => FILTER_VALIDATE_INT, + 'pageset' => true, + 'default' => '-1' +- ), ++ ), + 'page' => array( + 'filter' => FILTER_VALIDATE_INT, + 'default' => '1' + +- ), ++ ), + 'filter' => array( + 'filter' => FILTER_DEFAULT, + 'pageset' => true, + 'default' => '' +- ), ++ ), + 'sort_column' => array( + 'filter' => FILTER_CALLBACK, + 'default' => 'hostname', + 'options' => array('options' => 'sanitize_search_string') +- ), ++ ), + 'sort_direction' => array( + 'filter' => FILTER_CALLBACK, + 'default' => 'ASC', + 'options' => array('options' => 'sanitize_search_string') +- ), ++ ), + 'status' => array( + 'filter' => FILTER_CALLBACK, + 'pageset' => true, + 'default' => '', + 'options' => array('options' => 'sanitize_search_string') +- ), ++ ), + 'network' => array( +- 'filter' => FILTER_CALLBACK, ++ 'filter' => FILTER_VALIDATE_INT, + 'pageset' => true, +- 'default' => '', +- 'options' => array('options' => 'sanitize_search_string') +- ), ++ 'default' => '-1', ++ ), + 'snmp' => array( + 'filter' => FILTER_CALLBACK, + 'pageset' => true, + 'default' => '', + 'options' => array('options' => 'sanitize_search_string') +- ), ++ ), + 'os' => array( + 'filter' => FILTER_CALLBACK, + 'pageset' => true, +@@ -400,6 +399,8 @@ function get_discovery_results(&$total_rows = 0, $rows = 0, $export = false) { + global $os_arr, $status_arr, $networks, $device_actions; + + $sql_where = ''; ++ $sql_params = array(); ++ + $status = get_request_var('status'); + $network = get_request_var('network'); + $snmp = get_request_var('snmp'); +@@ -407,42 +408,51 @@ function get_discovery_results(&$total_rows = 0, $rows = 0, $export = false) { + $filter = get_request_var('filter'); + + if ($status == __('Down')) { +- $sql_where .= 'WHERE up=0'; ++ $sql_where .= 'WHERE up = 0'; + } else if ($status == __('Up')) { +- $sql_where .= 'WHERE up=1'; ++ $sql_where .= 'WHERE up = 1'; + } + + if ($network > 0) { +- $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'network_id=' . $network; ++ $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'network_id = ?'; ++ $sql_params[] = $network; + } + + if ($snmp == __('Down')) { +- $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'snmp=0'; ++ $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'snmp = 0'; + } else if ($snmp == __('Up')) { +- $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'snmp=1'; ++ $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'snmp = 1'; + } + + if ($os != '-1' && in_array($os, $os_arr)) { +- $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . "os='$os'"; ++ $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'os = ?'; ++ $sql_param[] = $os; + } + + if ($filter != '') { +- $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(hostname LIKE ' . db_qstr('%' . $filter . '%') . ' +- OR ip LIKE ' . db_qstr('%' . $filter . '%') . ' +- OR sysName LIKE ' . db_qstr('%' . $filter . '%') . ' +- OR sysDescr LIKE ' . db_qstr('%' . $filter . '%') . ' +- OR sysLocation LIKE ' . db_qstr('%' . $filter . '%') . ' +- OR sysContact LIKE ' . db_qstr('%' . $filter . '%') . ' +- )'; ++ $sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ++ '(hostname LIKE ? OR ip LIKE ? OR sysName LIKE ? OR sysDescr LIKE ? OR sysLocation LIKE ? OR sysContact LIKE ?)'; ++ ++ $sql_params[] = '%' . $filter . '%'; ++ $sql_params[] = '%' . $filter . '%'; ++ $sql_params[] = '%' . $filter . '%'; ++ $sql_params[] = '%' . $filter . '%'; ++ $sql_params[] = '%' . $filter . '%'; ++ $sql_params[] = '%' . $filter . '%'; + } + + if ($export) { +- return db_fetch_assoc("SELECT * FROM automation_devices $sql_where ORDER BY INET_ATON(ip)"); ++ return db_fetch_assoc_prepared("SELECT * ++ FROM automation_devices ++ $sql_where ++ ORDER BY INET_ATON(ip)", ++ $sql_params); + } else { +- $total_rows = db_fetch_cell("SELECT ++ $total_rows = db_fetch_cell_prepared("SELECT + COUNT(*) + FROM automation_devices +- $sql_where"); ++ $sql_where", ++ $sql_params); + + $page = get_request_var('page'); + +@@ -455,7 +465,7 @@ function get_discovery_results(&$total_rows = 0, $rows = 0, $export = false) { + $sql_order + $sql_limit"; + +- return db_fetch_assoc($sql_query); ++ return db_fetch_assoc_prepared($sql_query, $sql_params); + } + } + +diff --git a/automation_graph_rules.php b/automation_graph_rules.php +index a75306e..0c265be 100644 +--- a/automation_graph_rules.php ++++ b/automation_graph_rules.php +@@ -127,6 +127,19 @@ function save() { + $save['operator'] = form_input_validate((isset_request_var('operator') ? get_nfilter_request_var('operator') : ''), 'operator', '^[0-9]+$', true, 3); + $save['pattern'] = form_input_validate((isset_request_var('pattern') ? get_nfilter_request_var('pattern') : ''), 'pattern', '', true, 3); + ++ /* Test for SQL injections */ ++ $field_name = str_replace(array('ht.', 'h.', 'gt.'), '', $save['field']); ++ ++ if (!db_column_exists('host', $field_name) && !db_column_exists('host_template', $field_name) && !db_column_exists('graph_templates', $field_name)) { ++ raise_message('sql_injection', __('An attempt was made to perform a SQL injection in Tree automation'), MESSAGE_LEVEL_ERROR); ++ ++ cacti_log(sprintf('ERROR: An attempt was made to perform a SQL Injection in Graph Automation from client address \'%s\'', get_client_addr()), false, 'SECURITY'); ++ ++ header('Location: automation_graph_rules.php?header=false&action=edit&id=' . get_request_var('id') . '&rule_type=' . AUTOMATION_RULE_TYPE_GRAPH_ACTION); ++ ++ exit; ++ } ++ + if (!is_error_message()) { + $item_id = sql_save($save, 'automation_graph_rule_items'); + +diff --git a/automation_tree_rules.php b/automation_tree_rules.php +index 9df057f..652642d 100644 +--- a/automation_tree_rules.php ++++ b/automation_tree_rules.php +@@ -133,6 +133,19 @@ function automation_tree_rules_form_save() { + $save['operator'] = form_input_validate((isset_request_var('operator') ? get_nfilter_request_var('operator') : ''), 'operator', '^[0-9]+$', true, 3); + $save['pattern'] = form_input_validate((isset_request_var('pattern') ? get_nfilter_request_var('pattern') : ''), 'pattern', '', true, 3); + ++ /* Test for SQL injections */ ++ $field_name = str_replace(array('ht.', 'h.', 'gt.'), '', $save['field']); ++ ++ if (!db_column_exists('host', $field_name) && !db_column_exists('host_template', $field_name) && !db_column_exists('graph_templates', $field_name)) { ++ raise_message('sql_injection', __('An attempt was made to perform a SQL injection in Tree automation'), MESSAGE_LEVEL_ERROR); ++ ++ cacti_log(sprintf('ERROR: An attempt was made to perform a SQL Injection in Tree automation from client address \'%s\'', get_client_addr()), false, 'SECURITY'); ++ ++ header('Location: automation_tree_rules.php?header=false&action=item_edit&id=' . get_request_var('id') . '&item_id=' . (empty($item_id) ? get_request_var('item_id') : $item_id) . '&rule_type=' . AUTOMATION_RULE_TYPE_TREE_MATCH); ++ ++ exit; ++ } ++ + if (!is_error_message()) { + $item_id = sql_save($save, 'automation_match_rule_items'); + +diff --git a/lib/functions.php b/lib/functions.php +index fca736c..da90c9d 100644 +--- a/lib/functions.php ++++ b/lib/functions.php +@@ -4538,9 +4538,14 @@ function cacti_escapeshellarg($string, $quote = true) { + return $string; + } + +- /* we must use an apostrophe to escape community names under Unix in case the user uses +- characters that the shell might interpret. the ucd-snmp binaries on Windows flip out when +- you do this, but are perfectly happy with a quotation mark. */ ++ /* remove any carriage returns or line feeds from the argument */ ++ $string = str_replace(array("\n", "\r"), array('', ''), $string); ++ ++ /* ++ * we must use an apostrophe to escape community names under Unix in case the user uses ++ * characters that the shell might interpret. the ucd-snmp binaries on Windows flip out when ++ * you do this, but are perfectly happy with a quotation mark. ++ */ + if ($config['cacti_server_os'] == 'unix') { + $string = escapeshellarg($string); + if ($quote) { +@@ -4550,12 +4555,14 @@ function cacti_escapeshellarg($string, $quote = true) { + return substr($string, 1, (strlen($string)-2)); + } + } else { +- /* escapeshellarg takes care of different quotation for both linux and windows, ++ /** ++ * escapeshellarg takes care of different quotation for both linux and windows, + * but unfortunately, it blanks out percent signs + * we want to keep them, e.g. for GPRINT format strings + * so we need to create our own escapeshellarg + * on windows, command injection requires to close any open quotation first +- * so we have to escape any quotation here */ ++ * so we have to escape any quotation here ++ */ + if (substr_count($string, CACTI_ESCAPE_CHARACTER)) { + $string = str_replace(CACTI_ESCAPE_CHARACTER, "\\" . CACTI_ESCAPE_CHARACTER, $string); + } +@@ -7317,7 +7324,7 @@ function cacti_format_ipv6_colon($address) { + if (!filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + return $address; + } +- ++ + if (strpos($address, '[') !== false) { + return $address; + } +diff --git a/lib/html_validate.php b/lib/html_validate.php +index 273edc0..7dd3ce0 100644 +--- a/lib/html_validate.php ++++ b/lib/html_validate.php +@@ -48,7 +48,7 @@ function die_html_input_error($variable = '', $value = '', $message = '') { + global $config; + + if ($message == '') { +- $message = __('Validation error for variable %s with a value of %s. See backtrace below for more details.', html_escape($variable), html_escape($value)); ++ $message = __esc('Validation error for variable %s with a value of %s. See backtrace below for more details.', $variable, html_escape($value)); + } + + if (isset_request_var('json')) { +diff --git a/lib/snmp.php b/lib/snmp.php +index 52f98b1..dc80277 100644 +--- a/lib/snmp.php ++++ b/lib/snmp.php +@@ -480,8 +480,12 @@ function cacti_snmp_session_walk($session, $oid, $dummy = false, $max_repetition + } + + if (cacti_sizeof($out)) { +- foreach($out as $oid => $value){ +- $out[$oid] = format_snmp_string($value, false, $value_output_format); ++ foreach($out as $oid => $value) { ++ if (is_array($value)) { ++ foreach($value as $index => $sval) { ++ $out[$oid][$index] = format_snmp_string($sval, false, $value_output_format); ++ } ++ } + } + } + +@@ -514,7 +518,7 @@ function cacti_snmp_session_get($session, $oid, $strip_alpha = false) { + } + + if (is_array($out)) { +- foreach($out as $oid => $value){ ++ foreach($out as $oid => $value) { + $out[$oid] = format_snmp_string($value, false, SNMP_STRING_OUTPUT_GUESS, $strip_alpha); + } + } else { +@@ -548,7 +552,7 @@ function cacti_snmp_session_getnext($session, $oid) { + } + + if (is_array($out)) { +- foreach($out as $oid => $value){ ++ foreach($out as $oid => $value) { + $out[$oid] = format_snmp_string($value, false); + } + } else { +@@ -558,6 +562,18 @@ function cacti_snmp_session_getnext($session, $oid) { + return $out; + } + ++function cacti_snmp_validate_oid($oid) { ++ $oid = ltrim($oid, '.'); ++ ++ $validate = array_unique(array_map('is_numeric', explode('.', $oid))); ++ ++ if (array_search(false, $validate, true)) { ++ return false; ++ } else { ++ return true; ++ } ++} ++ + function cacti_snmp_walk($hostname, $community, $oid, $version, $auth_user = '', $auth_pass = '', + $auth_proto = '', $priv_pass = '', $priv_proto = '', $context = '', + $port = 161, $timeout_ms = 500, $retries = 0, $bulk_walk_size = 10, $environ = 'SNMP', +@@ -692,10 +708,20 @@ function cacti_snmp_walk($hostname, $community, $oid, $version, $auth_user = '', + } + + $i = 0; ++ + foreach($temp_array as $index => $value) { + if (preg_match('/(.*) =.*/', $value)) { +- $snmp_array[$i]['oid'] = trim(preg_replace('/(.*) =.*/', "\\1", $value)); +- $snmp_array[$i]['value'] = format_snmp_string($value, true, $value_output_format); ++ $parts = explode('=', $value, 2); ++ $t_oid = trim($parts[0]); ++ $t_value = $parts[1]; ++ ++ if (!cacti_snmp_validate_oid($t_oid)) { ++ cacti_log(sprintf('WARNING: SNMP Agent exploit attempted on SNMP agent from host ip: %s with oid: %s', $hostname, $t_oid), false, 'SECURITY'); ++ continue; ++ } ++ ++ $snmp_array[$i]['oid'] = $t_oid; ++ $snmp_array[$i]['value'] = $t_value; + $i++; + } else { + $snmp_array[$i-1]['value'] .= $value; +@@ -704,6 +730,15 @@ function cacti_snmp_walk($hostname, $community, $oid, $version, $auth_user = '', + } + } + ++ /** ++ * replay the array to escape value data in case of a multi-line exploit ++ */ ++ if (cacti_sizeof($snmp_array)) { ++ foreach($snmp_array as $index => $data) { ++ $snmp_array[$index]['value'] = format_snmp_string($data['value'], false, $value_output_format); ++ } ++ } ++ + return $snmp_array; + } + +diff --git a/scripts/ss_net_snmp_disk_bytes.php b/scripts/ss_net_snmp_disk_bytes.php +index db0705b..b3acfbc 100644 +--- a/scripts/ss_net_snmp_disk_bytes.php ++++ b/scripts/ss_net_snmp_disk_bytes.php +@@ -223,8 +223,8 @@ function ss_net_snmp_disk_bytes($host_id_or_hostname = '') { + } + } + +- $data = "'" . json_encode($current) . "'"; +- shell_exec("echo $data > $tmpdir/$tmpfile"); ++ $data = json_encode($current); ++ file_put_contents("$tmpdir/$tmpfile", $data); + } + + if ($found) { +diff --git a/scripts/ss_net_snmp_disk_io.php b/scripts/ss_net_snmp_disk_io.php +index fb2d2ac..00d97f3 100644 +--- a/scripts/ss_net_snmp_disk_io.php ++++ b/scripts/ss_net_snmp_disk_io.php +@@ -222,8 +222,8 @@ function ss_net_snmp_disk_io($host_id_or_hostname = '') { + } + } + +- $data = "'" . json_encode($current) . "'"; +- shell_exec("echo $data > $tmpdir/$tmpfile"); ++ $data = json_encode($current); ++ file_put_contents("$tmpdir/$tmpfile", $data); + } + + if ($found) { diff -Nru cacti-1.2.24+ds1/debian/patches/CVE-2025-22604_pre1.patch cacti-1.2.24+ds1/debian/patches/CVE-2025-22604_pre1.patch --- cacti-1.2.24+ds1/debian/patches/CVE-2025-22604_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/CVE-2025-22604_pre1.patch 2025-02-09 14:08:12.000000000 +0000 @@ -0,0 +1,74 @@ +From: xmacan +Date: Sat, 19 Oct 2024 11:20:46 +0200 +Subject: prepare fix for CVE-2025-22604 + +IPv6 Colon format fixes + +origin: https://patch-diff.githubusercontent.com/raw/Cacti/cacti/pull/5875.patch +bug: https://github.com/Cacti/cacti/pull/5875 +--- + lib/functions.php | 17 +++++++++++++++++ + lib/snmp.php | 4 ++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/functions.php b/lib/functions.php +index b80c4b3..fca736c 100644 +--- a/lib/functions.php ++++ b/lib/functions.php +@@ -7312,3 +7312,20 @@ function debounce_run_notification($id, $freqnency = 1200) { + + return false; + } ++ ++function cacti_format_ipv6_colon($address) { ++ if (!filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { ++ return $address; ++ } ++ ++ if (strpos($address, '[') !== false) { ++ return $address; ++ } ++ ++ if (strpos($address, ':') !== false) { ++ return '[' . $address . ']'; ++ } ++ ++ return($address); ++} ++ +diff --git a/lib/snmp.php b/lib/snmp.php +index d4ade67..52f98b1 100644 +--- a/lib/snmp.php ++++ b/lib/snmp.php +@@ -173,6 +173,7 @@ function cacti_snmp_get($hostname, $community, $oid, $version, $auth_user = '', + } + } else { + $snmp_value = ''; ++ $hostname = cacti_format_ipv6_colon($hostname); + + /* net snmp want the timeout in seconds */ + $timeout_s = (int) ceil($timeout_ms / 1000); +@@ -266,6 +267,7 @@ function cacti_snmp_get_raw($hostname, $community, $oid, $version, $auth_user = + } + } else { + $snmp_value = ''; ++ $hostname = cacti_format_ipv6_colon($hostname); + + /* net snmp want the timeout in seconds */ + $timeout_s = (int) ceil($timeout_ms / 1000); +@@ -354,6 +356,7 @@ function cacti_snmp_getnext($hostname, $community, $oid, $version, $auth_user = + } + } else { + $snmp_value = ''; ++ $hostname = cacti_format_ipv6_colon($hostname); + + /* net snmp want the timeout in seconds */ + $timeout_s = (int) ceil($timeout_ms / 1000); +@@ -631,6 +634,7 @@ function cacti_snmp_walk($hostname, $community, $oid, $version, $auth_user = '', + } else { + /* ucd/net snmp want the timeout in seconds */ + $timeout_s = (int) ceil($timeout_ms / 1000); ++ $hostname = cacti_format_ipv6_colon($hostname); + + if ($version == '1') { + $snmp_auth = '-c ' . snmp_escape_string($community); /* v1/v2 - community string */ diff -Nru cacti-1.2.24+ds1/debian/patches/series cacti-1.2.24+ds1/debian/patches/series --- cacti-1.2.24+ds1/debian/patches/series 2024-08-24 14:00:29.000000000 +0000 +++ cacti-1.2.24+ds1/debian/patches/series 2025-02-09 14:08:12.000000000 +0000 @@ -33,3 +33,11 @@ 0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch 0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch 0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch +0036-CVE-2024-27082.patch +CVE-2024-43362.patch +CVE-2024-43363.patch +CVE-2024-43364-1.patch +CVE-2024-43364-2.patch +CVE-2025-22604_pre1.patch +CVE-2024-45598_to_CVE-2025-24368.patch +CVE-2024-45598-fix.patch