nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group

Browse Source 
- fixed some possible XSS with PHP_SELF (PATH_INFO)
- commented out some use of PATH_INFO ... needs further testing
This commit is contained in:
Sebastian Mendel
2007-10-16 07:11:28 +00:00
parent 7816ec7b1a
commit ef7a052074
7 changed files with 58 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@@ -31,6 +31,10 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1811519 [privileges] fixed used collation for accessing mysql.user in server privileges
- it should not be possible to move or copy a table to information_schema
2.11.1.2 (not yet released)
- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group
- fixed some possible XSS with PHP_SELF, PATH_INFO, REQUEST_URI
2.11.1.1 (2007-10-15)
- bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group

33
libraries/Config.class.php
View File

@@ -557,12 +557,16 @@ class PMA_Config
$url = array();
// At first we try to parse REQUEST_URI, it might contain full URL
/**
* REQUEST_URI contains PATH_INFO too, this is not what we want
* script-php/pathinfo/
if (PMA_getenv('REQUEST_URI')) {
$url = @parse_url(PMA_getenv('REQUEST_URI')); // produces E_WARNING if it cannot get parsed, e.g. '/foobar:/'
if ($url === false) {
$url = array('path' => $_SERVER['REQUEST_URI']);
}
}
*/
// If we don't have scheme, we didn't have full URL so we need to
// dig deeper
@@ -599,13 +603,17 @@ class PMA_Config
// And finally the path could be already set from REQUEST_URI
if (empty($url['path'])) {
/**
* REQUEST_URI contains PATH_INFO too, this is not what we want
* script-php/pathinfo/
if (PMA_getenv('PATH_INFO')) {
$path = parse_url(PMA_getenv('PATH_INFO'));
} else {
// PHP_SELF in CGI often points to cgi executable, so use it
// as last choice
$path = parse_url(PMA_getenv('PHP_SELF'));
}
*/
$path = parse_url($GLOBALS['PMA_PHP_SELF']);
//}
$url['path'] = $path['path'];
}
}
@@ -836,27 +844,36 @@ class PMA_Config
$url = '';
/**
* REQUEST_URI contains PATH_INFO too, this is not what we want
* script-php/pathinfo/
if (PMA_getenv('REQUEST_URI')) {
$url = PMA_getenv('REQUEST_URI');
}
*/
// If we don't have path
if (empty($url)) {
if (PMA_getenv('PATH_INFO')) {
$url = PMA_getenv('PATH_INFO');
} elseif (PMA_getenv('PHP_SELF')) {
//if (PMA_getenv('PATH_INFO')) {
// $url = PMA_getenv('PATH_INFO');
//} else
if ($GLOBALS['PMA_PHP_SELF']) {
// PHP_SELF in CGI often points to cgi executable, so use it
// as last choice
$url = PMA_getenv('PHP_SELF');
$url = $GLOBALS['PMA_PHP_SELF'];
} elseif (PMA_getenv('SCRIPT_NAME')) {
$url = PMA_getenv('PHP_SELF');
$url = $GLOBALS['PMA_PHP_SELF'];
}
}
/**
* REQUEST_URI contains PATH_INFO too, this is not what we want
* script-php/pathinfo/
$parsed_url = @parse_url($_SERVER['REQUEST_URI']); // produces E_WARNING if it cannot get parsed, e.g. '/foobar:/'
if ($parsed_url === false) {
*/
$parsed_url = array('path' => $url);
}
//}
$cookie_path = substr($parsed_url['path'], 0, strrpos($parsed_url['path'], '/')) . '/';

17
libraries/common.inc.php
View File

@@ -136,6 +136,21 @@ foreach ($GLOBALS as $key => $dummy) {
}
}
/**
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
* and provide a clean PHP_SELF here
*/
$PMA_PHP_SELF = PMA_getenv('PHP_SELF');
$_PATH_INFO = PMA_getenv('PATH_INFO');
if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
$path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO);
if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) {
$PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos);
}
}
$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
/**
* just to be sure there was no import (registering) before here
* we empty the global space
@@ -197,7 +212,7 @@ if (isset($_POST['usesubform'])) {
* track this
*/
if (isset($_POST['redirect'])
&& $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) {
&& $_POST['redirect'] != basename($PMA_PHP_SELF)) {
$__redirect = $_POST['redirect'];
unset($_POST['redirect']);
}

6
libraries/common.lib.php
View File

@@ -1504,6 +1504,7 @@ function PMA_localisedDate($timestamp = -1, $format = '')
* returns a tab for tabbed navigation.
* If the variables $link and $args ar left empty, an inactive tab is created
*
* @uses $GLOBALS['PMA_PHP_SELF']
* @uses $GLOBALS['strEmpty']
* @uses $GLOBALS['strDrop']
* @uses $GLOBALS['active_page']
@@ -1548,7 +1549,7 @@ function PMA_getTab($tab)
|| PMA_isValid($GLOBALS['active_page'], 'identical', $tab['link'])) {
$tab['class'] = 'active';
} elseif (empty($GLOBALS['active_page'])
&& basename(PMA_getenv('PHP_SELF')) == $tab['link']
&& basename($GLOBALS['PMA_PHP_SELF']) == $tab['link']
&& empty($tab['warning'])) {
$tab['class'] = 'active';
}
@@ -1844,6 +1845,7 @@ function PMA_flipstring($string, $Separator = "<br />\n")
* @todo use PMA_fatalError() if $die === true?
* @uses PMA_getenv()
* @uses header_meta_style.inc.php
* @uses $GLOBALS['PMA_PHP_SELF']
* basename
* @param array The names of the parameters needed by the calling
* script.
@@ -1865,7 +1867,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
$checked_special = false;
}
$reported_script_name = basename(PMA_getenv('PHP_SELF'));
$reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
$found_error = false;
$error_message = '';

6
libraries/display_change_password.lib.php
View File

@@ -12,13 +12,11 @@ $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
? 'onpropertychange'
: 'onchange';
$calling_script = PMA_getenv('PHP_SELF');
// Displays the form
?>
<form method="post" action="<?php echo $calling_script; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
<form method="post" action="<?php echo $GLOBALS['PMA_PHP_SELF']; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
<?php echo PMA_generate_common_hidden_inputs();
if (strpos($calling_script, 'server_privileges') !== false) {
if (strpos($GLOBALS['PMA_PHP_SELF'], 'server_privileges') !== false) {
echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
. '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n";
}?>

2
libraries/grab_globals.lib.php
View File

@@ -104,7 +104,7 @@ if (! empty($_FILES)) {
/**
* globalize some environment variables
*/
$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
foreach ($server_vars as $current) {
// its not important HOW we detect html tags
// its more important to prevent XSS

15
server_status.php
View File

@@ -259,11 +259,8 @@ $sections = array(
// variable or section name => (name => url)
$links = array();
// because of PMA_NO_VARIABLES_IMPORT, the $PHP_SELF globalized by
// grab_globals is not available here when register_globals = Off
// and in some situations, $_SERVER['PHP_SELF'] is not defined
$links['table'][$strFlushTables]
= PMA_getenv('PHP_SELF') . '?flush=TABLES&amp;' . PMA_generate_common_url();
= $PMA_PHP_SELF . '?flush=TABLES&amp;' . PMA_generate_common_url();
$links['table'][$strShowOpenTables]
= 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') .
'&amp;goto=server_status.php&amp;' . PMA_generate_common_url();
@@ -278,7 +275,7 @@ $links['repl']['MySQL - ' . $strDocu]
= $cfg['MySQLManualBase'] . '/replication.html';
$links['qcache'][$strFlushQueryCache]
= PMA_getenv('PHP_SELF') . '?flush=' . urlencode('QUERY CACHE') . '&amp;' .
= $PMA_PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&amp;' .
PMA_generate_common_url();
$links['qcache']['MySQL - ' . $strDocu]
= $cfg['MySQLManualBase'] . '/query-cache.html';
@@ -337,10 +334,10 @@ $hour_factor = 3600 / $server_status['Uptime'];
?>
<div id="statuslinks">
<a href="<?php echo
PMA_getenv('PHP_SELF') . '?' . PMA_generate_common_url(); ?>"
$PMA_PHP_SELF . '?' . PMA_generate_common_url(); ?>"
><?php echo $strRefresh; ?></a>
<a href="<?php echo
PMA_getenv('PHP_SELF') . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>"
$PMA_PHP_SELF . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>"
><?php echo $strShowStatusReset; ?></a>
<a href="<?php echo
$cfg['MySQLManualBase']; ?>/server-status-variables.html"
@@ -359,7 +356,7 @@ echo sprintf($strServerStatusUptime,
<?php
foreach ($sections as $section_name => $section) {
if (! empty($section['vars']) && ! empty($section['title'])) {
echo '<a href="' . PMA_getenv('PHP_SELF') . '?' .
echo '<a href="' . $PMA_PHP_SELF . '?' .
PMA_generate_common_url() . '#' . $section_name . '">' .
$section['title'] . '</a>' . "\n";
}
@@ -578,7 +575,7 @@ foreach ($sections as $section_name => $section) {
<table class="data" id="serverstatussection<?php echo $section_name; ?>">
<caption class="tblHeaders">
<a class="top"
href="<?php echo PMA_getenv('PHP_SELF') . '?' .
href="<?php echo $PMA_PHP_SELF . '?' .
PMA_generate_common_url() . '#serverstatus'; ?>"
name="<?php echo $section_name; ?>"><?php echo $strPos1; ?>
<?php echo