Bug 1470077 (CVE-2017-11163)

Summary: CVE-2017-11163 cacti: XSS in aggregate_graphs.php
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: marc.w.hagen, mstevens
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-12 13:15:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1470078, 1470079    
Bug Blocks:    

Description Andrej Nemec 2017-07-12 11:33:59 UTC 
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12
allows remote authenticated users to inject arbitrary web script or HTML via
specially crafted HTTP Referer headers, related to the $cancel_url variable.

Upstream issue:

https://github.com/Cacti/cacti/issues/847
Comment 1 Andrej Nemec 2017-07-12 11:34:19 UTC 
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 1470078]
Affects: fedora-all [bug 1470079]
Comment 2 Morten Stevens 2017-07-12 12:48:15 UTC 
There is already another CVE number for this issue: CVE-2017-10970. Please check: https://github.com/Cacti/cacti/issues/838

We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.

See:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413
https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403
https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e
https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693
Comment 3 Andrej Nemec 2017-07-12 13:01:13 UTC 
(In reply to Morten Stevens from comment #2)
> There is already another CVE number for this issue: CVE-2017-10970. Please
> check: https://github.com/Cacti/cacti/issues/838
> 
> We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.
> 
> See:
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693

Are you sure that CVE-2017-10970 and CVE-2017-11163 are the same?

It seems to me that they have a different origin (link-php vs aggregate_graphs.php). As long as there are two CVEs assigned here we need to treat https://github.com/Cacti/cacti/issues/847 and https://github.com/Cacti/cacti/issues/838 as different issues.

If you feel confident that these issues are the same, you should contact mitre and open a dispute via https://cveform.mitre.org/
Comment 4 Andrej Nemec 2017-07-12 13:15:14 UTC 
Oh, I see what you mean now :) According to upstream this second issue was also fixed with the patch for the first one.

We can close this bug then. As per upstream recommendation, please try to update cacti to 1.1.3 when it's available. Thanks!
Comment 5 Morten Stevens 2017-07-12 15:05:12 UTC 
@Andrej

Thank you. Maybe you can open a new BZ for CVE-2017-10970?
Comment 6 Andrej Nemec 2017-07-12 15:15:01 UTC 
(In reply to Morten Stevens from comment #5)
> @Andrej
> 
> Thank you. Maybe you can open a new BZ for CVE-2017-10970?

Flaw bug and trackers for CVE-2017-10970 are now live, feel free to change them as you want.