Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support  

 FAQFAQ   SearchSearch   MemberlistMemberlist    RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in    


cacti 0.6.8a Out

 
Post new topic   Reply to topic    Cacti Forum Index -> Announcements
Author Message
raX
Lead Developer


Joined: 13 Oct 2001
Posts: 2234
Location: Carlisle, PA
PostPosted: Thu Sep 05, 2002 10:03 pm    Post subject: cacti 0.6.8a Out Reply with quote
A few security bugs prompted this small release. I also fixed a few bugs that have been annoying people for a while. The complete changelog:

Quote:
-bug: Unchecked string being passed to rrdtool caused a potential security
problem.
-bug: The logout funtionality was broken for some users because of a missing
fourth argument.
-bug: Fixed some SNMP parsing problems.
-bug: Fixed a problem with using quotes for data source input.


Since this is a really small release, here is the diff as well:

Code:

diff -r cacti-0.6.8/cacti.sql cacti-0.6.8a/cacti.sql
1031c1031
< INSERT INTO src VALUES (1, 'Ping Host', 'perl <path_cacti>/scripts/ping.pl <num> <ip>', '<out_ms>', NULL);
---
> INSERT INTO src VALUES (1, 'Ping Host', 'perl <path_cacti>/scripts/ping.pl <ip>', '<out_ms>', NULL);
1064d1063
< INSERT INTO src_data VALUES (2, 2, 35, '2');
1117d1115
< INSERT INTO src_fields VALUES (2, 1, 'Times', 'num', 'in', '');
diff -r cacti-0.6.8/docs/CHANGELOG cacti-0.6.8a/docs/CHANGELOG
2a3,10
> 0.6.8a
> -bug: Unchecked string being passed to rrdtool caused a potential security
> problem.
> -bug: The logout funtionality was broken for some users because of a missing
> fourth argument.
> -bug: Fixed some SNMP parsing problems.
> -bug: Fixed a problem with using quotes for data source input.
>
diff -r cacti-0.6.8/ds_data_config.php cacti-0.6.8a/ds_data_config.php
76c76
<             $old_value = mysql_result($sql_id_data, 0, "value");
---
>             $old_value = htmlspecialchars(mysql_result($sql_id_data, 0, "value"));
diff -r cacti-0.6.8/include/rrd_functions.php cacti-0.6.8a/include/rrd_functions.php
25a26,29
> function escape_command($command) {
>    return ereg_replace("(\\\$)", "\\\\1", $command);
> }
>
50c54
<       $fp = popen($config["path_rrdtool"]["value"] . escapeshellcmd(" $command_line"), "r");
---
>       $fp = popen($config["path_rrdtool"]["value"] . escape_command(" $command_line"), "r");
52c56
<       $fp = popen($config["path_rrdtool"]["value"] . escapeshellcmd(" $command_line"), "rb");
---
>       $fp = popen($config["path_rrdtool"]["value"] . escape_command(" $command_line"), "rb");
diff -r cacti-0.6.8/log/rrd.log cacti-0.6.8a/log/rrd.log
0a1
>
diff -r cacti-0.6.8/logout.php cacti-0.6.8a/logout.php
26c26
< setcookie(session_name(),"","","/");
---
> setcookie(session_name(),"",time() - 3600,"/");
Only in cacti-0.6.8a/scripts: ping-new.pl
diff -r cacti-0.6.8/scripts/ping.pl cacti-0.6.8a/scripts/ping.pl
3,6c3,4
< if ($ARGV[0]=="x") {
<    $db = ":0";
<    $ARGV[0] = 2;
< }
---
> $ping = `ping -c $ARGV[0] $ARGV[1] -w 1 | grep icmp_seq`;
> $ping =~ s/(.*time=)(.*) (ms|usec)//;
8,11c6
< $response = `ping $ARGV[1] -c $ARGV[0] |grep round-trip| awk '\{print \$4 \}' | awk -F / '\{print \$1 \}' | grep -v "Warning"`;
< chomp $response;
< $response = $response;
< print "$response$db";
---
> print $2;


-Ian
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Cacti Forum Index -> Announcements All times are GMT - 5 Hours
Page 1 of 1

 



Powered by phpBB © 2001, 2005 phpBB Group