Skip to content

Commit

Permalink
Fix XSS in install.php
Browse files Browse the repository at this point in the history 
This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue #17937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes #17938
  • Loading branch information
@dregad
dregad committed Jan 9, 2015
1 parent 7cc4539 commit 132cd6d
Showing 1 changed file with 19 additions and 19 deletions.
38 changes: 19 additions & 19 deletions admin/install.php
View file
Expand Up @@ -458,7 +458,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
<td bgcolor="#ffffff">
Checking Database Server Version
<?php
echo '<br /> Running ' . $f_db_type . ' version ' . nl2br( $t_version_info['description'] );
echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . nl2br( $t_version_info['description'] );
?>
</td>
<?php
Expand Down Expand Up @@ -581,7 +581,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
Hostname (for Database Server)
</td>
<td>
<input name="hostname" type="textbox" value="<?php echo $f_hostname?>">
<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>">
</td>
</tr>

Expand All @@ -591,7 +591,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
Username (for Database)
</td>
<td>
<input name="db_username" type="textbox" value="<?php echo $f_db_username?>">
<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>">
</td>
</tr>

Expand All @@ -614,7 +614,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
Database name (for Database)
</td>
<td>
<input name="database_name" type="textbox" value="<?php echo $f_database_name?>">
<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>">
</td>
</tr>
<?php
Expand All @@ -627,7 +627,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
</td>
<td>
<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>">
<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>">
</td>
</tr>

Expand All @@ -639,7 +639,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
<input name="admin_password" type="password" value="<?php
echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
? CONFIGURED_PASSWORD
: $f_admin_password;
: string_attribute( $f_admin_password );
?>">
</td>
</tr>
Expand Down Expand Up @@ -1024,13 +1024,13 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
# @todo to be written
# must post data gathered to preserve it
?>
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
<input name="db_password" type="hidden" value="<?php echo $f_db_password?>">
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>">
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
<input name="db_password" type="hidden" value="<?php echo string_attribute( f_db_password ) ?>">
<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>">
<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>">
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">
<?php
Expand Down Expand Up @@ -1330,20 +1330,20 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
<td bgcolor="#ffffff">
<form method='POST'>
<input name="install" type="hidden" value="<?php echo $t_install_state?>">
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
<input name="db_password" type="hidden" value="<?php
echo !is_blank( $f_db_password ) && $t_config_exists
? CONFIGURED_PASSWORD
: $f_db_password;
: string_attribute( $f_db_password );
?>">
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
<input name="admin_password" type="hidden" value="<?php
echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
? CONFIGURED_PASSWORD
: $f_admin_password;
: string_attribute( $f_admin_password );
?>">
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">
Expand Down

0 comments on commit 132cd6d

Please sign in to comment.