Skip to content

Commit

Permalink
Fix XSS in install.php (CVE-2017-12061)
Browse files Browse the repository at this point in the history 
aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes #23146
  • Loading branch information
@dregad
dregad committed Aug 1, 2017
1 parent 9b5b71d commit c73ae3d
Showing 1 changed file with 50 additions and 10 deletions.
60 changes: 50 additions & 10 deletions admin/install.php
View file
Expand Up @@ -421,7 +421,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes

print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Does administrative user have access to the database? ( ' . string_attribute( db_error_msg() ) . ' )'
);
$t_version_info = null;
}
?>
Expand All @@ -441,7 +445,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
$t_db_open = true;
print_test_result( GOOD );
} else {
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand Down Expand Up @@ -793,9 +801,17 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
}

if( $t_db_exists ) {
print_test_result( BAD, false, 'Database already exists? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database already exists? ( ' . string_attribute( db_error_msg() ) . ' )'
);
} else {
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
);
$t_install_state--; # db creation failed, allow user to re-enter user/password info
}
}
Expand All @@ -817,7 +833,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result == true ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
$g_db->Close();
?>
Expand Down Expand Up @@ -1217,7 +1237,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result == true ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, false, 'Database user does not have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user does not have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand All @@ -1232,7 +1256,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have SELECT access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have SELECT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand All @@ -1247,7 +1275,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have INSERT access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have INSERT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand All @@ -1262,7 +1294,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have UPDATE access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have UPDATE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand All @@ -1277,7 +1313,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have DELETE access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have DELETE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
Expand Down

0 comments on commit c73ae3d

Please sign in to comment.