From 132cd6d041f8ef5811e4eca8bdb516c893ebb52e Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 27 Dec 2014 18:47:58 +0100
Subject: [PATCH] Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue #17937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes #17938
---
 admin/install.php | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/admin/install.php b/admin/install.php
index 5a70f2c095..ecbbf417a8 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -458,7 +458,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	<td bgcolor="#ffffff">
 		Checking Database Server Version
 		<?php
-		echo '<br /> Running ' . $f_db_type . ' version ' . nl2br( $t_version_info['description'] );
+		echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . nl2br( $t_version_info['description'] );
 		?>
 	</td>
 	<?php
@@ -581,7 +581,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		Hostname (for Database Server)
 	</td>
 	<td>
-		<input name="hostname" type="textbox" value="<?php echo $f_hostname?>">
+		<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>">
 	</td>
 </tr>
 
@@ -591,7 +591,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		Username (for Database)
 	</td>
 	<td>
-		<input name="db_username" type="textbox" value="<?php echo $f_db_username?>">
+		<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>">
 	</td>
 </tr>
 
@@ -614,7 +614,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		Database name (for Database)
 	</td>
 	<td>
-		<input name="database_name" type="textbox" value="<?php echo $f_database_name?>">
+		<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>">
 	</td>
 </tr>
 <?php
@@ -627,7 +627,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
 	</td>
 	<td>
-		<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>">
+		<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>">
 	</td>
 </tr>
 
@@ -639,7 +639,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		<input name="admin_password" type="password" value="<?php
 			echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
 				? CONFIGURED_PASSWORD
-				: $f_admin_password;
+				: string_attribute( $f_admin_password );
 		?>">
 	</td>
 </tr>
@@ -1024,13 +1024,13 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	# @todo to be written
 	# must post data gathered to preserve it
 	?>
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
-		<input name="db_password" type="hidden" value="<?php echo $f_db_password?>">
-		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
-		<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>">
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
+		<input name="db_password" type="hidden" value="<?php echo string_attribute( f_db_password ) ?>">
+		<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>">
+		<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>">
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">
 <?php
@@ -1330,20 +1330,20 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	<td bgcolor="#ffffff">
 <form method='POST'>
 		<input name="install" type="hidden" value="<?php echo $t_install_state?>">
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
 		<input name="db_password" type="hidden" value="<?php
 			echo !is_blank( $f_db_password ) && $t_config_exists
 				? CONFIGURED_PASSWORD
-				: $f_db_password;
+				: string_attribute( $f_db_password );
 		?>">
 		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
 		<input name="admin_password" type="hidden" value="<?php
 			echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
 				? CONFIGURED_PASSWORD
-				: $f_admin_password;
+				: string_attribute( $f_admin_password );
 		?>">
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">