From d67c4debcacfd05aae21ba45618213c4a1c06a9b Mon Sep 17 00:00:00 2001 From: David Hicks Date: Wed, 15 Dec 2010 10:40:32 +1100 Subject: [PATCH] Fix #12607: LFI/PD/XSS in upgrade_unattended.php Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. --- admin/upgrade_unattended.php | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/admin/upgrade_unattended.php b/admin/upgrade_unattended.php index ad03e3ca68..39b0920d73 100644 --- a/admin/upgrade_unattended.php +++ b/admin/upgrade_unattended.php @@ -32,6 +32,16 @@ $g_failed = false; +/* This script is probably meant to be executed from PHP CLI and hence should + * not be interpreted as text/html. However saying that, we do call gpc_ + * functions that only make sense in PHP CGI mode. Given this mismatch we'll + * just assume for now that this script is meant to be used from PHP CGI and + * the output is meant to be text/plain. We also need to prevent Internet + * Explorer from ignoring our MIME type and using it's own MIME sniffing. + */ +header( 'Content-Type: text/plain;' ); +header( 'X-Content-Type-Options: nosniff' ); + /** * Print the result of an upgrade step. * @@ -88,15 +98,15 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) { $f_db_exists = gpc_get_bool( 'db_exists', false ); # install the tables -$c_db_type = string_attribute( $f_db_type ); -if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.inc.php' ) ) { - echo "Invalid db type '$c_db_type'."; +if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) || + !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) { + echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.'; exit; } -$GLOBALS['g_db_type'] = $c_db_type; # database_api references this +$GLOBALS['g_db_type'] = $f_db_type; # database_api references this require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' ); -$g_db = ADONewConnection( $c_db_type ); +$g_db = ADONewConnection( $f_db_type ); echo "\nPost 1.0 schema changes\n"; echo "Connecting to database... ";