nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group

Browse Source 
- fixed some possible XSS with PHP_SELF (PATH_INFO)
This commit is contained in:
Sebastian Mendel
2007-10-16 07:09:50 +00:00
parent bdd2250124
commit c32d999eb1
6 changed files with 33 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@@ -25,6 +25,10 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1811519 [privileges] fixed used collation for accessing mysql.user in server privileges - bug #1811519 [privileges] fixed used collation for accessing mysql.user in server privileges
- it should not be possible to move or copy a table to information_schema - it should not be possible to move or copy a table to information_schema
2.11.1.2 (not yet released)
- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group
- fixed some possible XSS with PHP_SELF, PATH_INFO, REQUEST_URI
2.11.1.1 (2007-10-15) 2.11.1.1 (2007-10-15)
- bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group - bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group

17
libraries/common.inc.php
View File

@@ -139,6 +139,21 @@ foreach ($GLOBALS as $key => $dummy) {
} }
} }
/**
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
* and provide a clean PHP_SELF here
*/
$PMA_PHP_SELF = PMA_getenv('PHP_SELF');
$_PATH_INFO = PMA_getenv('PATH_INFO');
if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
$path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO);
if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) {
$PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos);
}
}
$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
/** /**
* just to be sure there was no import (registering) before here * just to be sure there was no import (registering) before here
* we empty the global space * we empty the global space
@@ -199,7 +214,7 @@ if (isset($_POST['usesubform'])) {
* track this * track this
*/ */
if (isset($_POST['redirect']) if (isset($_POST['redirect'])
&& $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) { && $_POST['redirect'] != basename($PMA_PHP_SELF)) {
$__redirect = $_POST['redirect']; $__redirect = $_POST['redirect'];
unset($_POST['redirect']); unset($_POST['redirect']);
} }

6
libraries/common.lib.php
View File

@@ -1449,6 +1449,7 @@ function PMA_localisedDate($timestamp = -1, $format = '')
* returns a tab for tabbed navigation. * returns a tab for tabbed navigation.
* If the variables $link and $args ar left empty, an inactive tab is created * If the variables $link and $args ar left empty, an inactive tab is created
* *
* @uses $GLOBALS['PMA_PHP_SELF']
* @uses $GLOBALS['strEmpty'] * @uses $GLOBALS['strEmpty']
* @uses $GLOBALS['strDrop'] * @uses $GLOBALS['strDrop']
* @uses $GLOBALS['active_page'] * @uses $GLOBALS['active_page']
@@ -1492,7 +1493,7 @@ function PMA_getTab($tab)
} elseif (!empty($tab['active']) } elseif (!empty($tab['active'])
|| (isset($GLOBALS['active_page']) || (isset($GLOBALS['active_page'])
&& $GLOBALS['active_page'] == $tab['link']) && $GLOBALS['active_page'] == $tab['link'])
|| (basename(PMA_getenv('PHP_SELF')) == $tab['link'] && empty($tab['warning']))) || (basename($GLOBALS['PMA_PHP_SELF']) == $tab['link'] && empty($tab['warning'])))
{ {
$tab['class'] = 'active'; $tab['class'] = 'active';
} }
@@ -1788,6 +1789,7 @@ function PMA_flipstring($string, $Separator = "<br />\n")
* @todo use PMA_fatalError() if $die === true? * @todo use PMA_fatalError() if $die === true?
* @uses PMA_getenv() * @uses PMA_getenv()
* @uses header_meta_style.inc.php * @uses header_meta_style.inc.php
* @uses $GLOBALS['PMA_PHP_SELF']
* basename * basename
* @param array The names of the parameters needed by the calling * @param array The names of the parameters needed by the calling
* script. * script.
@@ -1809,7 +1811,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
$checked_special = false; $checked_special = false;
} }
$reported_script_name = basename(PMA_getenv('PHP_SELF')); $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
$found_error = false; $found_error = false;
$error_message = ''; $error_message = '';

6
libraries/display_change_password.lib.php
View File

@@ -12,13 +12,11 @@ $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
? 'onpropertychange' ? 'onpropertychange'
: 'onchange'; : 'onchange';
$calling_script = PMA_getenv('PHP_SELF');
// Displays the form // Displays the form
?> ?>
<form method="post" action="<?php echo $calling_script; ?>" name="chgPassword" onsubmit="return checkPassword(this)"> <form method="post" action="<?php echo $GLOBALS['PMA_PHP_SELF']; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
<?php echo PMA_generate_common_hidden_inputs(); <?php echo PMA_generate_common_hidden_inputs();
if (strpos($calling_script, 'server_privileges') !== false) { if (strpos($GLOBALS['PMA_PHP_SELF'], 'server_privileges') !== false) {
echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n" echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
. '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n"; . '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n";
}?> }?>

2
libraries/grab_globals.lib.php
View File

@@ -103,7 +103,7 @@ if (! empty($_FILES)) {
/** /**
* globalize some environment variables * globalize some environment variables
*/ */
$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); $server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
foreach ($server_vars as $current) { foreach ($server_vars as $current) {
// its not important HOW we detect html tags // its not important HOW we detect html tags
// its more important to prevent XSS // its more important to prevent XSS

15
server_status.php
View File

@@ -267,11 +267,8 @@ $sections = array(
// variable or section name => (name => url) // variable or section name => (name => url)
$links = array(); $links = array();
// because of PMA_NO_VARIABLES_IMPORT, the $PHP_SELF globalized by
// grab_globals is not available here when register_globals = Off
// and in some situations, $_SERVER['PHP_SELF'] is not defined
$links['table'][$strFlushTables] $links['table'][$strFlushTables]
= PMA_getenv('PHP_SELF') . '?flush=TABLES&amp;' . PMA_generate_common_url(); = $PMA_PHP_SELF . '?flush=TABLES&amp;' . PMA_generate_common_url();
$links['table'][$strShowOpenTables] $links['table'][$strShowOpenTables]
= 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') . = 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') .
'&amp;goto=server_status.php&amp;' . PMA_generate_common_url(); '&amp;goto=server_status.php&amp;' . PMA_generate_common_url();
@@ -286,7 +283,7 @@ $links['repl']['MySQL - ' . $strDocu]
= $cfg['MySQLManualBase'] . '/replication.html'; = $cfg['MySQLManualBase'] . '/replication.html';
$links['qcache'][$strFlushQueryCache] $links['qcache'][$strFlushQueryCache]
= PMA_getenv('PHP_SELF') . '?flush=' . urlencode('QUERY CACHE') . '&amp;' . = $PMA_PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&amp;' .
PMA_generate_common_url(); PMA_generate_common_url();
$links['qcache']['MySQL - ' . $strDocu] $links['qcache']['MySQL - ' . $strDocu]
= $cfg['MySQLManualBase'] . '/query-cache.html'; = $cfg['MySQLManualBase'] . '/query-cache.html';
@@ -345,10 +342,10 @@ $hour_factor = 3600 / $server_status['Uptime'];
?> ?>
<div id="statuslinks"> <div id="statuslinks">
<a href="<?php echo <a href="<?php echo
PMA_getenv('PHP_SELF') . '?' . PMA_generate_common_url(); ?>" $PMA_PHP_SELF . '?' . PMA_generate_common_url(); ?>"
><?php echo $strRefresh; ?></a> ><?php echo $strRefresh; ?></a>
<a href="<?php echo <a href="<?php echo
PMA_getenv('PHP_SELF') . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>" $PMA_PHP_SELF . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>"
><?php echo $strShowStatusReset; ?></a> ><?php echo $strShowStatusReset; ?></a>
<a href="<?php echo <a href="<?php echo
$cfg['MySQLManualBase']; ?>/server-status-variables.html" $cfg['MySQLManualBase']; ?>/server-status-variables.html"
@@ -367,7 +364,7 @@ echo sprintf($strServerStatusUptime,
<?php <?php
foreach ($sections as $section_name => $section) { foreach ($sections as $section_name => $section) {
if (! empty($section['vars']) && ! empty($section['title'])) { if (! empty($section['vars']) && ! empty($section['title'])) {
echo '<a href="' . PMA_getenv('PHP_SELF') . '?' . echo '<a href="' . $PMA_PHP_SELF . '?' .
PMA_generate_common_url() . '#' . $section_name . '">' . PMA_generate_common_url() . '#' . $section_name . '">' .
$section['title'] . '</a>' . "\n"; $section['title'] . '</a>' . "\n";
} }
@@ -586,7 +583,7 @@ foreach ($sections as $section_name => $section) {
<table class="data" id="serverstatussection<?php echo $section_name; ?>"> <table class="data" id="serverstatussection<?php echo $section_name; ?>">
<caption class="tblHeaders"> <caption class="tblHeaders">
<a class="top" <a class="top"
href="<?php echo PMA_getenv('PHP_SELF') . '?' . href="<?php echo $PMA_PHP_SELF . '?' .
PMA_generate_common_url() . '#serverstatus'; ?>" PMA_generate_common_url() . '#serverstatus'; ?>"
name="<?php echo $section_name; ?>"><?php echo $strPos1; ?> name="<?php echo $section_name; ?>"><?php echo $strPos1; ?>
<?php echo <?php echo