From c73ae3d3d4dd4681489a9e697e8ade785e27cba5 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Tue, 1 Aug 2017 13:00:04 +0200
Subject: [PATCH] Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes #23146
---
 admin/install.php | 60 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 10 deletions(-)

diff --git a/admin/install.php b/admin/install.php
index 45a46a41b9..cd07bb50a1 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -421,7 +421,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			true,
+			'Does administrative user have access to the database? ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 		$t_version_info = null;
 	}
 	?>
@@ -441,7 +445,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 			$t_db_open = true;
 			print_test_result( GOOD );
 		} else {
-			print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
+			print_test_result(
+				BAD,
+				false,
+				'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+			);
 		}
 		?>
 </tr>
@@ -793,9 +801,17 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 				}
 
 				if( $t_db_exists ) {
-					print_test_result( BAD, false, 'Database already exists? ( ' . db_error_msg() . ' )' );
+					print_test_result(
+						BAD,
+						false,
+						'Database already exists? ( ' . string_attribute( db_error_msg() ) . ' )'
+					);
 				} else {
-					print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
+					print_test_result(
+						BAD,
+						true,
+						'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
+					);
 					$t_install_state--; # db creation failed, allow user to re-enter user/password info
 				}
 			}
@@ -817,7 +833,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		if( $t_result == true ) {
 			print_test_result( GOOD );
 		} else {
-			print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
+			print_test_result(
+				BAD,
+				false,
+				'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+			);
 		}
 		$g_db->Close();
 	?>
@@ -1217,7 +1237,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	if( $t_result == true ) {
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, false, 'Database user does not have access to the database ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			false,
+			'Database user does not have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 	}
 	?>
 </tr>
@@ -1232,7 +1256,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	if( $t_result != false ) {
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, true, 'Database user does not have SELECT access to the database ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			true,
+			'Database user does not have SELECT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 	}
 	?>
 </tr>
@@ -1247,7 +1275,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	if( $t_result != false ) {
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, true, 'Database user does not have INSERT access to the database ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			true,
+			'Database user does not have INSERT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 	}
 	?>
 </tr>
@@ -1262,7 +1294,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	if( $t_result != false ) {
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, true, 'Database user does not have UPDATE access to the database ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			true,
+			'Database user does not have UPDATE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 	}
 	?>
 </tr>
@@ -1277,7 +1313,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	if( $t_result != false ) {
 		print_test_result( GOOD );
 	} else {
-		print_test_result( BAD, true, 'Database user does not have DELETE access to the database ( ' . db_error_msg() . ' )' );
+		print_test_result(
+			BAD,
+			true,
+			'Database user does not have DELETE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
+		);
 	}
 	?>
 </tr>