- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group
- fixed some possible XSS with PHP_SELF (PATH_INFO)
This commit is contained in:
Sebastian Mendel
@@ -25,6 +25,10 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
|
||||
- bug #1811519 [privileges] fixed used collation for accessing mysql.user in server privileges
|
||||
- it should not be possible to move or copy a table to information_schema
|
||||
|
||||
2.11.1.2 (not yet released)
|
||||
- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group
|
||||
- fixed some possible XSS with PHP_SELF, PATH_INFO, REQUEST_URI
|
||||
|
||||
2.11.1.1 (2007-10-15)
|
||||
- bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group
|
||||
|
||||
|
||||
@@ -139,6 +139,21 @@ foreach ($GLOBALS as $key => $dummy) {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
|
||||
* and provide a clean PHP_SELF here
|
||||
*/
|
||||
$PMA_PHP_SELF = PMA_getenv('PHP_SELF');
|
||||
$_PATH_INFO = PMA_getenv('PATH_INFO');
|
||||
if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
|
||||
$path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO);
|
||||
if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) {
|
||||
$PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos);
|
||||
}
|
||||
}
|
||||
$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
|
||||
|
||||
|
||||
/**
|
||||
* just to be sure there was no import (registering) before here
|
||||
* we empty the global space
|
||||
@@ -199,7 +214,7 @@ if (isset($_POST['usesubform'])) {
|
||||
* track this
|
||||
*/
|
||||
if (isset($_POST['redirect'])
|
||||
&& $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) {
|
||||
&& $_POST['redirect'] != basename($PMA_PHP_SELF)) {
|
||||
$__redirect = $_POST['redirect'];
|
||||
unset($_POST['redirect']);
|
||||
}
|
||||
|
||||
@@ -1449,6 +1449,7 @@ function PMA_localisedDate($timestamp = -1, $format = '')
|
||||
* returns a tab for tabbed navigation.
|
||||
* If the variables $link and $args ar left empty, an inactive tab is created
|
||||
*
|
||||
* @uses $GLOBALS['PMA_PHP_SELF']
|
||||
* @uses $GLOBALS['strEmpty']
|
||||
* @uses $GLOBALS['strDrop']
|
||||
* @uses $GLOBALS['active_page']
|
||||
@@ -1492,7 +1493,7 @@ function PMA_getTab($tab)
|
||||
} elseif (!empty($tab['active'])
|
||||
|| (isset($GLOBALS['active_page'])
|
||||
&& $GLOBALS['active_page'] == $tab['link'])
|
||||
|| (basename(PMA_getenv('PHP_SELF')) == $tab['link'] && empty($tab['warning'])))
|
||||
|| (basename($GLOBALS['PMA_PHP_SELF']) == $tab['link'] && empty($tab['warning'])))
|
||||
{
|
||||
$tab['class'] = 'active';
|
||||
}
|
||||
@@ -1788,6 +1789,7 @@ function PMA_flipstring($string, $Separator = "<br />\n")
|
||||
* @todo use PMA_fatalError() if $die === true?
|
||||
* @uses PMA_getenv()
|
||||
* @uses header_meta_style.inc.php
|
||||
* @uses $GLOBALS['PMA_PHP_SELF']
|
||||
* basename
|
||||
* @param array The names of the parameters needed by the calling
|
||||
* script.
|
||||
@@ -1809,7 +1811,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
|
||||
$checked_special = false;
|
||||
}
|
||||
|
||||
$reported_script_name = basename(PMA_getenv('PHP_SELF'));
|
||||
$reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
|
||||
$found_error = false;
|
||||
$error_message = '';
|
||||
|
||||
|
||||
@@ -12,13 +12,11 @@ $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
|
||||
? 'onpropertychange'
|
||||
: 'onchange';
|
||||
|
||||
$calling_script = PMA_getenv('PHP_SELF');
|
||||
|
||||
// Displays the form
|
||||
?>
|
||||
<form method="post" action="<?php echo $calling_script; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
|
||||
<form method="post" action="<?php echo $GLOBALS['PMA_PHP_SELF']; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
|
||||
<?php echo PMA_generate_common_hidden_inputs();
|
||||
if (strpos($calling_script, 'server_privileges') !== false) {
|
||||
if (strpos($GLOBALS['PMA_PHP_SELF'], 'server_privileges') !== false) {
|
||||
echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
|
||||
. '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n";
|
||||
}?>
|
||||
|
||||
@@ -103,7 +103,7 @@ if (! empty($_FILES)) {
|
||||
/**
|
||||
* globalize some environment variables
|
||||
*/
|
||||
$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
|
||||
$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
|
||||
foreach ($server_vars as $current) {
|
||||
// its not important HOW we detect html tags
|
||||
// its more important to prevent XSS
|
||||
|
||||
@@ -267,11 +267,8 @@ $sections = array(
|
||||
// variable or section name => (name => url)
|
||||
$links = array();
|
||||
|
||||
// because of PMA_NO_VARIABLES_IMPORT, the $PHP_SELF globalized by
|
||||
// grab_globals is not available here when register_globals = Off
|
||||
// and in some situations, $_SERVER['PHP_SELF'] is not defined
|
||||
$links['table'][$strFlushTables]
|
||||
= PMA_getenv('PHP_SELF') . '?flush=TABLES&' . PMA_generate_common_url();
|
||||
= $PMA_PHP_SELF . '?flush=TABLES&' . PMA_generate_common_url();
|
||||
$links['table'][$strShowOpenTables]
|
||||
= 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') .
|
||||
'&goto=server_status.php&' . PMA_generate_common_url();
|
||||
@@ -286,7 +283,7 @@ $links['repl']['MySQL - ' . $strDocu]
|
||||
= $cfg['MySQLManualBase'] . '/replication.html';
|
||||
|
||||
$links['qcache'][$strFlushQueryCache]
|
||||
= PMA_getenv('PHP_SELF') . '?flush=' . urlencode('QUERY CACHE') . '&' .
|
||||
= $PMA_PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&' .
|
||||
PMA_generate_common_url();
|
||||
$links['qcache']['MySQL - ' . $strDocu]
|
||||
= $cfg['MySQLManualBase'] . '/query-cache.html';
|
||||
@@ -345,10 +342,10 @@ $hour_factor = 3600 / $server_status['Uptime'];
|
||||
?>
|
||||
<div id="statuslinks">
|
||||
<a href="<?php echo
|
||||
PMA_getenv('PHP_SELF') . '?' . PMA_generate_common_url(); ?>"
|
||||
$PMA_PHP_SELF . '?' . PMA_generate_common_url(); ?>"
|
||||
><?php echo $strRefresh; ?></a>
|
||||
<a href="<?php echo
|
||||
PMA_getenv('PHP_SELF') . '?flush=STATUS&' . PMA_generate_common_url(); ?>"
|
||||
$PMA_PHP_SELF . '?flush=STATUS&' . PMA_generate_common_url(); ?>"
|
||||
><?php echo $strShowStatusReset; ?></a>
|
||||
<a href="<?php echo
|
||||
$cfg['MySQLManualBase']; ?>/server-status-variables.html"
|
||||
@@ -367,7 +364,7 @@ echo sprintf($strServerStatusUptime,
|
||||
<?php
|
||||
foreach ($sections as $section_name => $section) {
|
||||
if (! empty($section['vars']) && ! empty($section['title'])) {
|
||||
echo '<a href="' . PMA_getenv('PHP_SELF') . '?' .
|
||||
echo '<a href="' . $PMA_PHP_SELF . '?' .
|
||||
PMA_generate_common_url() . '#' . $section_name . '">' .
|
||||
$section['title'] . '</a>' . "\n";
|
||||
}
|
||||
@@ -586,7 +583,7 @@ foreach ($sections as $section_name => $section) {
|
||||
<table class="data" id="serverstatussection<?php echo $section_name; ?>">
|
||||
<caption class="tblHeaders">
|
||||
<a class="top"
|
||||
href="<?php echo PMA_getenv('PHP_SELF') . '?' .
|
||||
href="<?php echo $PMA_PHP_SELF . '?' .
|
||||
PMA_generate_common_url() . '#serverstatus'; ?>"
|
||||
name="<?php echo $section_name; ?>"><?php echo $strPos1; ?>
|
||||
<?php echo
|
||||
|
||||
Reference in New Issue
Block a user