Skip to content
Permalink
Browse files Browse the repository at this point in the history
DB Credentials leak in upgrade_unattended.php
Retrieve credentials from Mantis system configuration instead of
accepting them from POST parameters.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Paul Richards' original patch was modified to align the code with master
branch to (basically replacing DIRECTORY_SEPARATOR by '/') to facilitate
porting.

Fixes #17877

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>
  • Loading branch information
dregad committed Nov 29, 2014
1 parent 65c13de commit 0826cef
Showing 1 changed file with 8 additions and 13 deletions.
21 changes: 8 additions & 13 deletions admin/upgrade_unattended.php
Expand Up @@ -94,27 +94,22 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
}

# read control variables with defaults
$f_hostname = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );
$f_db_type = gpc_get( 'db_type', config_get( 'db_type', '' ) );
$f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtrack' ) );
$f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
$f_db_password = gpc_get( 'db_password', config_get( 'db_password', '' ) );
$f_db_exists = gpc_get_bool( 'db_exists', false );
$t_db_type = config_get_global( 'db_type' );

# install the tables
if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
!file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
if( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
!file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $t_db_type . '.inc.php' ) ) {
echo 'Invalid db type ' . htmlspecialchars( $t_db_type ) . '.';
exit;
}

$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
$g_db = ADONewConnection( $f_db_type );
$GLOBALS['g_db_type'] = $t_db_type; # database_api references this
require_once( dirname( __FILE__ ) . '/schema.php' );
$g_db = ADONewConnection( $t_db_type );

echo "\nPost 1.0 schema changes\n";
echo "Connecting to database... ";
$t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
$t_result = @$g_db->Connect( config_get_global( 'hostname' ), config_get_global( 'db_username' ), config_get_global( 'db_password' ), config_get_global( 'database_name' ) );

if( false == $t_result ) {
echo "Failed.\n";
Expand Down

0 comments on commit 0826cef

Please sign in to comment.