- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group

- fixed some possible XSS with PHP_SELF (PATH_INFO)

libraries/common.inc.php

@@ -139,6 +139,21 @@ foreach ($GLOBALS as $key => $dummy) {
     }
 }
 
+/**
+ * PATH_INFO could be compromised if set, so remove it from PHP_SELF
+ * and provide a clean PHP_SELF here
+ */
+$PMA_PHP_SELF = PMA_getenv('PHP_SELF');
+$_PATH_INFO = PMA_getenv('PATH_INFO');
+if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
+    $path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO);
+    if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) {
+        $PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos);
+    }
+}
+$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
+
+
 /**
  * just to be sure there was no import (registering) before here
  * we empty the global space
@@ -199,7 +214,7 @@ if (isset($_POST['usesubform'])) {
      * track this
      */
     if (isset($_POST['redirect'])
-      && $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) {
+      && $_POST['redirect'] != basename($PMA_PHP_SELF)) {
         $__redirect = $_POST['redirect'];
         unset($_POST['redirect']);
     }

libraries/common.lib.php

@@ -1449,6 +1449,7 @@ function PMA_localisedDate($timestamp = -1, $format = '')
  * returns a tab for tabbed navigation.
  * If the variables $link and $args ar left empty, an inactive tab is created
  *
+ * @uses    $GLOBALS['PMA_PHP_SELF']
  * @uses    $GLOBALS['strEmpty']
  * @uses    $GLOBALS['strDrop']
  * @uses    $GLOBALS['active_page']
@@ -1492,7 +1493,7 @@ function PMA_getTab($tab)
         } elseif (!empty($tab['active'])
           || (isset($GLOBALS['active_page'])
                && $GLOBALS['active_page'] == $tab['link'])
-          || (basename(PMA_getenv('PHP_SELF')) == $tab['link'] && empty($tab['warning'])))
+          || (basename($GLOBALS['PMA_PHP_SELF']) == $tab['link'] && empty($tab['warning'])))
         {
             $tab['class'] = 'active';
         }
@@ -1788,6 +1789,7 @@ function PMA_flipstring($string, $Separator = "<br />\n")
  * @todo    use PMA_fatalError() if $die === true?
  * @uses    PMA_getenv()
  * @uses    header_meta_style.inc.php
+ * @uses    $GLOBALS['PMA_PHP_SELF']
  * basename
  * @param   array   The names of the parameters needed by the calling
  *                  script.
@@ -1809,7 +1811,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
         $checked_special = false;
     }
 
-    $reported_script_name = basename(PMA_getenv('PHP_SELF'));
+    $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
     $found_error = false;
     $error_message = '';
 

libraries/display_change_password.lib.php

@@ -12,13 +12,11 @@ $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
                  ? 'onpropertychange'
                  : 'onchange';
 
-$calling_script = PMA_getenv('PHP_SELF');
-
 // Displays the form
 ?>
-<form method="post" action="<?php echo $calling_script; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
+<form method="post" action="<?php echo $GLOBALS['PMA_PHP_SELF']; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
     <?php   echo PMA_generate_common_hidden_inputs();
-            if (strpos($calling_script, 'server_privileges') !== false) {
+            if (strpos($GLOBALS['PMA_PHP_SELF'], 'server_privileges') !== false) {
                 echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
                    . '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n";
             }?>

libraries/grab_globals.lib.php

@@ -103,7 +103,7 @@ if (! empty($_FILES)) {
 /**
  * globalize some environment variables
  */
-$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
+$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
 foreach ($server_vars as $current) {
     // its not important HOW we detect html tags
     // its more important to prevent XSS