Skip to content

Commit 132cd6d

Browse files
committed
Fix XSS in install.php
This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). The parameters are now properly sanitized before being displayed. Fixes #17938
1 parent 7cc4539 commit 132cd6d

File tree

1 file changed

+19
-19
lines changed

1 file changed

+19
-19
lines changed

Diff for: admin/install.php

+19-19
Original file line numberDiff line numberDiff line change
@@ -458,7 +458,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
458458
<td bgcolor="#ffffff">
459459
Checking Database Server Version
460460
<?php
461-
echo '<br /> Running ' . $f_db_type . ' version ' . nl2br( $t_version_info['description'] );
461+
echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . nl2br( $t_version_info['description'] );
462462
?>
463463
</td>
464464
<?php
@@ -581,7 +581,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
581581
Hostname (for Database Server)
582582
</td>
583583
<td>
584-
<input name="hostname" type="textbox" value="<?php echo $f_hostname?>">
584+
<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>">
585585
</td>
586586
</tr>
587587

@@ -591,7 +591,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
591591
Username (for Database)
592592
</td>
593593
<td>
594-
<input name="db_username" type="textbox" value="<?php echo $f_db_username?>">
594+
<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>">
595595
</td>
596596
</tr>
597597

@@ -614,7 +614,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
614614
Database name (for Database)
615615
</td>
616616
<td>
617-
<input name="database_name" type="textbox" value="<?php echo $f_database_name?>">
617+
<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>">
618618
</td>
619619
</tr>
620620
<?php
@@ -627,7 +627,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
627627
Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
628628
</td>
629629
<td>
630-
<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>">
630+
<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>">
631631
</td>
632632
</tr>
633633

@@ -639,7 +639,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
639639
<input name="admin_password" type="password" value="<?php
640640
echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
641641
? CONFIGURED_PASSWORD
642-
: $f_admin_password;
642+
: string_attribute( $f_admin_password );
643643
?>">
644644
</td>
645645
</tr>
@@ -1024,13 +1024,13 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
10241024
# @todo to be written
10251025
# must post data gathered to preserve it
10261026
?>
1027-
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
1028-
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
1029-
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
1030-
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
1031-
<input name="db_password" type="hidden" value="<?php echo $f_db_password?>">
1032-
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
1033-
<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>">
1027+
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
1028+
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
1029+
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
1030+
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
1031+
<input name="db_password" type="hidden" value="<?php echo string_attribute( f_db_password ) ?>">
1032+
<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>">
1033+
<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>">
10341034
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
10351035
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">
10361036
<?php
@@ -1330,20 +1330,20 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
13301330
<td bgcolor="#ffffff">
13311331
<form method='POST'>
13321332
<input name="install" type="hidden" value="<?php echo $t_install_state?>">
1333-
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>">
1334-
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>">
1335-
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>">
1336-
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>">
1333+
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>">
1334+
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>">
1335+
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>">
1336+
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>">
13371337
<input name="db_password" type="hidden" value="<?php
13381338
echo !is_blank( $f_db_password ) && $t_config_exists
13391339
? CONFIGURED_PASSWORD
1340-
: $f_db_password;
1340+
: string_attribute( $f_db_password );
13411341
?>">
13421342
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>">
13431343
<input name="admin_password" type="hidden" value="<?php
13441344
echo !is_blank( $f_admin_password ) && $f_admin_password == $f_db_password
13451345
? CONFIGURED_PASSWORD
1346-
: $f_admin_password;
1346+
: string_attribute( $f_admin_password );
13471347
?>">
13481348
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>">
13491349
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>">

0 commit comments

Comments
 (0)