diff --git a/ChangeLog b/ChangeLog index a802fe224..aeeb2136c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,10 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1811519 [privileges] fixed used collation for accessing mysql.user in server privileges - it should not be possible to move or copy a table to information_schema +2.11.1.2 (not yet released) +- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group +- fixed some possible XSS with PHP_SELF, PATH_INFO, REQUEST_URI + 2.11.1.1 (2007-10-15) - bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 9c7a7eb7b..a305f57d3 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -139,6 +139,21 @@ foreach ($GLOBALS as $key => $dummy) { } } +/** + * PATH_INFO could be compromised if set, so remove it from PHP_SELF + * and provide a clean PHP_SELF here + */ +$PMA_PHP_SELF = PMA_getenv('PHP_SELF'); +$_PATH_INFO = PMA_getenv('PATH_INFO'); +if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) { + $path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO); + if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) { + $PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos); + } +} +$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF); + + /** * just to be sure there was no import (registering) before here * we empty the global space @@ -199,7 +214,7 @@ if (isset($_POST['usesubform'])) { * track this */ if (isset($_POST['redirect']) - && $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) { + && $_POST['redirect'] != basename($PMA_PHP_SELF)) { $__redirect = $_POST['redirect']; unset($_POST['redirect']); } diff --git a/libraries/common.lib.php b/libraries/common.lib.php index b7c26e125..67e7db81d 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -1449,6 +1449,7 @@ function PMA_localisedDate($timestamp = -1, $format = '') * returns a tab for tabbed navigation. * If the variables $link and $args ar left empty, an inactive tab is created * + * @uses $GLOBALS['PMA_PHP_SELF'] * @uses $GLOBALS['strEmpty'] * @uses $GLOBALS['strDrop'] * @uses $GLOBALS['active_page'] @@ -1492,7 +1493,7 @@ function PMA_getTab($tab) } elseif (!empty($tab['active']) || (isset($GLOBALS['active_page']) && $GLOBALS['active_page'] == $tab['link']) - || (basename(PMA_getenv('PHP_SELF')) == $tab['link'] && empty($tab['warning']))) + || (basename($GLOBALS['PMA_PHP_SELF']) == $tab['link'] && empty($tab['warning']))) { $tab['class'] = 'active'; } @@ -1788,6 +1789,7 @@ function PMA_flipstring($string, $Separator = "
\n") * @todo use PMA_fatalError() if $die === true? * @uses PMA_getenv() * @uses header_meta_style.inc.php + * @uses $GLOBALS['PMA_PHP_SELF'] * basename * @param array The names of the parameters needed by the calling * script. @@ -1809,7 +1811,7 @@ function PMA_checkParameters($params, $die = true, $request = true) $checked_special = false; } - $reported_script_name = basename(PMA_getenv('PHP_SELF')); + $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']); $found_error = false; $error_message = ''; diff --git a/libraries/display_change_password.lib.php b/libraries/display_change_password.lib.php index 20186af3e..b1fdc3abc 100644 --- a/libraries/display_change_password.lib.php +++ b/libraries/display_change_password.lib.php @@ -12,13 +12,11 @@ $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5) ? 'onpropertychange' : 'onchange'; -$calling_script = PMA_getenv('PHP_SELF'); - // Displays the form ?> -
+ ' . "\n" . '' . "\n"; }?> diff --git a/libraries/grab_globals.lib.php b/libraries/grab_globals.lib.php index ccd0ad172..06d983e8e 100644 --- a/libraries/grab_globals.lib.php +++ b/libraries/grab_globals.lib.php @@ -103,7 +103,7 @@ if (! empty($_FILES)) { /** * globalize some environment variables */ -$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); +$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); foreach ($server_vars as $current) { // its not important HOW we detect html tags // its more important to prevent XSS diff --git a/server_status.php b/server_status.php index 75d9137f3..b5de5cdf1 100644 --- a/server_status.php +++ b/server_status.php @@ -267,11 +267,8 @@ $sections = array( // variable or section name => (name => url) $links = array(); -// because of PMA_NO_VARIABLES_IMPORT, the $PHP_SELF globalized by -// grab_globals is not available here when register_globals = Off -// and in some situations, $_SERVER['PHP_SELF'] is not defined $links['table'][$strFlushTables] - = PMA_getenv('PHP_SELF') . '?flush=TABLES&' . PMA_generate_common_url(); + = $PMA_PHP_SELF . '?flush=TABLES&' . PMA_generate_common_url(); $links['table'][$strShowOpenTables] = 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') . '&goto=server_status.php&' . PMA_generate_common_url(); @@ -286,7 +283,7 @@ $links['repl']['MySQL - ' . $strDocu] = $cfg['MySQLManualBase'] . '/replication.html'; $links['qcache'][$strFlushQueryCache] - = PMA_getenv('PHP_SELF') . '?flush=' . urlencode('QUERY CACHE') . '&' . + = $PMA_PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&' . PMA_generate_common_url(); $links['qcache']['MySQL - ' . $strDocu] = $cfg['MySQLManualBase'] . '/query-cache.html'; @@ -345,10 +342,10 @@ $hour_factor = 3600 / $server_status['Uptime']; ?>