Описание
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| cacti | fixed | 1.1.37+ds1-1 | package | |
| cacti | not-affected | stretch | package | |
| cacti | not-affected | jessie | package | |
| cacti | not-affected | wheezy | package |
Примечания
https://github.com/Cacti/cacti/issues/1457
get_current_page was added in the 1.x series
PHP_SELF/SCRIPT_NAME inconsistency protection in global/include.php in v<1.1.4
Связанные уязвимости
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.