security: fix SSRF, command injection, and XSS in core functions (1.2.x)

somethingwithproof · somethingwithproof · commit ecc5e7846d54 · 2026-03-28T23:42:59.000-07:00
- Validate URL in call_remote_data_collector to prevent SSRF via protocol/host injection
- Escape database, username, password, and output_file in db_dump_data exec calls
- Escape $title in html_start_box to prevent stored XSS

Defense-in-depth: all three have limited exploitability (admin-only callers,
DB-sourced inputs, or translated string titles) but are worth hardening.

Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/lib/database.php b/lib/database.php
@@ -2233,14 +2233,17 @@ function db_dump_data($database = '', $tables = '', $credentials = array(), $out
 	if (!isset($username)) {
 		$username = $database_username;
 	}
+	$safe_database   = cacti_escapeshellarg($database);
+	$safe_output     = cacti_escapeshellarg($output_file);
+
 	if (strstr($options, '--defaults-extra-file') !== false) {
-		exec("mysqldump $options $credentials_string $database $tables > " . $output_file, $output, $retval);
+		exec("mysqldump $options $credentials_string $safe_database $tables > " . $safe_output, $output, $retval);
 	} else {
-		exec("mysqldump $options $credentials_string " . $database . ' version >/dev/null 2>&1', $output, $retval);
+		exec("mysqldump $options $credentials_string " . $safe_database . ' version >/dev/null 2>&1', $output, $retval);
 		if ($retval) {
-			exec("mysqldump $options $credentials_string -u" . $username . ' -p' . $password . ' ' . $database . " $tables > " . $output_file, $output, $retval);
+			exec("mysqldump $options $credentials_string -u" . cacti_escapeshellarg($username) . ' -p' . cacti_escapeshellarg($password) . ' ' . $safe_database . " $tables > " . $safe_output, $output, $retval);
 		} else {
-			exec("mysqldump $options $credentials_string $database $tables > " . $output_file, $output, $retval);
+			exec("mysqldump $options $credentials_string $safe_database $tables > " . $safe_output, $output, $retval);
 		}
 	}
 	return $retval;
diff --git a/lib/functions.php b/lib/functions.php
@@ -6254,6 +6254,12 @@ function call_remote_data_collector($poller_id, $url, $logtype = 'WEBUI') {
 		}
 	}
 
+	// Validate URL is a relative path to prevent SSRF
+	if (strpos($url, '://') !== false || strpos($url, '@') !== false) {
+		cacti_log('ERROR: Invalid URL passed to call_remote_data_collector: ' . $url, false, 'SECURITY');
+		return '';
+	}
+
 	$fgc_contextoption = get_default_contextoption();
 	$fgc_context       = stream_context_create($fgc_contextoption);
 
diff --git a/lib/html.php b/lib/html.php
@@ -101,7 +101,7 @@ function html_start_box($title, $width, $div, $cell_padding, $align, $add_text,
 	if ($title != '') {
 		print "<div id='$table_id' class='cactiTable' style='width:$width;text-align:$align;'>";
 		print '<div>';
-		print "<div class='cactiTableTitle'><span>" . ($title != '' ? $title:'') . '</span></div>';
+		print "<div class='cactiTableTitle'><span>" . ($title != '' ? html_escape($title):'') . '</span></div>';
 		print "<div class='cactiTableButton'>";
 
 		$page      = get_current_page();

Original file line number	Diff line number	Diff line change
`@@ -6254,6 +6254,12 @@ function call_remote_data_collector($poller_id, $url, $logtype = 'WEBUI') {`
`6254`	`6254`	`}`
`6255`	`6255`	`}`
`6256`	`6256`
	`6257`	`+ // Validate URL is a relative path to prevent SSRF`
	`6258`	`+ if (strpos($url, '://') !== false \|\| strpos($url, '@') !== false) {`
	`6259`	`+ cacti_log('ERROR: Invalid URL passed to call_remote_data_collector: ' . $url, false, 'SECURITY');`
	`6260`	`+ return '';`
	`6261`	`+ }`
	`6262`	`+`
`6257`	`6263`	`$fgc_contextoption = get_default_contextoption();`
`6258`	`6264`	`$fgc_context = stream_context_create($fgc_contextoption);`
`6259`	`6265`