Summary
mactrack_view_macs.php:91 calls unserialize() on a request parameter without restricting allowed classes. A crafted serialised object payload can instantiate arbitrary PHP classes. Line 214 in the same file already uses sanitize_unserialize_selected_items() — this fix brings line 91 to parity.
Details
| Field |
Value |
| File |
mactrack_view_macs.php |
| Line |
91 |
| Auth required |
Yes — authenticated Cacti user |
| CWE |
CWE-502 |
// Before
$selected_items = unserialize(get_nfilter_request_var('selected_items'));
// After
$selected_items = unserialize(get_nfilter_request_var('selected_items'), ['allowed_classes' => false]);
if (!is_array($selected_items)) {
$selected_items = [];
}Fix applied in branch security/2-restrict-unserialize-mac-view.
Acceptance criteria
Summary
mactrack_view_macs.php:91callsunserialize()on a request parameter without restricting allowed classes. A crafted serialised object payload can instantiate arbitrary PHP classes. Line 214 in the same file already usessanitize_unserialize_selected_items()— this fix brings line 91 to parity.Details
Fix applied in branch
security/2-restrict-unserialize-mac-view.Acceptance criteria
['allowed_classes' => false]applied at line 91tests/Security/UnserializeRegressionTest.php