Skip to content

Commit 17f9b94

Browse files
committed
Fix XSS in install.php (CVE-2017-12061)
aLLy from ONSEC (https://twitter.com/IamSecurity) reported this vulnerability, allowing an attacker to inject arbitrary code through crafted forms variables. Sanitizing the database error message prior to output prevents the attack. Fixes #23146 Backported from c73ae3d
1 parent b78fd04 commit 17f9b94

File tree

1 file changed

+57
-12
lines changed

1 file changed

+57
-12
lines changed

Diff for: admin/install.php

+57-12
Original file line numberDiff line numberDiff line change
@@ -442,7 +442,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
442442
# the check only works on mysql if the database is open
443443
$t_version_info = @$g_db->ServerInfo();
444444
} else {
445-
print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );
445+
print_test_result(
446+
BAD,
447+
true,
448+
'Does administrative user have access to the database? ( ' . string_attribute( db_error_msg() ) . ' )'
449+
);
446450
$t_version_info = null;
447451
}
448452
?>
@@ -469,7 +473,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
469473
print_test_result( GOOD );
470474
}
471475
} else {
472-
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
476+
print_test_result(
477+
BAD,
478+
false,
479+
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
480+
);
473481
}
474482
?>
475483
</tr>
@@ -791,7 +799,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
791799

792800
if( !$t_rs ) {
793801
$t_result = false;
794-
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
802+
print_test_result(
803+
BAD,
804+
true,
805+
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
806+
);
795807
$t_install_state--; # db creation failed, allow user to re-enter user/password info
796808
} else {
797809
print_test_result( GOOD );
@@ -814,9 +826,18 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
814826
}
815827

816828
if( $t_db_exists ) {
817-
print_test_result( BAD, false, 'Database already exists? ( ' . db_error_msg() . ' )' );
818-
} else {
819-
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
829+
print_test_result(
830+
BAD,
831+
false,
832+
'Database already exists? ( ' . string_attribute( db_error_msg() ) . ' )'
833+
);
834+
}
835+
else {
836+
print_test_result(
837+
BAD,
838+
true,
839+
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
840+
);
820841
$t_install_state--; # db creation failed, allow user to re-enter user/password info
821842
}
822843
}
@@ -847,7 +868,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
847868
if( $t_result == true ) {
848869
print_test_result( GOOD );
849870
} else {
850-
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
871+
print_test_result(
872+
BAD,
873+
false,
874+
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
875+
);
851876
}
852877
$g_db->Close();
853878
?>
@@ -1242,7 +1267,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12421267
if( $t_result == true ) {
12431268
print_test_result( GOOD );
12441269
} else {
1245-
print_test_result( BAD, false, 'Database user does not have access to the database ( ' . db_error_msg() . ' )' );
1270+
print_test_result(
1271+
BAD,
1272+
false,
1273+
'Database user does not have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1274+
);
12461275
}
12471276

12481277
if( $f_db_type == 'db2' ) {
@@ -1264,7 +1293,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12641293
if( $t_result != false ) {
12651294
print_test_result( GOOD );
12661295
} else {
1267-
print_test_result( BAD, true, 'Database user does not have SELECT access to the database ( ' . db_error_msg() . ' )' );
1296+
print_test_result(
1297+
BAD,
1298+
true,
1299+
'Database user does not have SELECT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1300+
);
12681301
}
12691302
?>
12701303
</tr>
@@ -1279,7 +1312,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12791312
if( $t_result != false ) {
12801313
print_test_result( GOOD );
12811314
} else {
1282-
print_test_result( BAD, true, 'Database user does not have INSERT access to the database ( ' . db_error_msg() . ' )' );
1315+
print_test_result(
1316+
BAD,
1317+
true,
1318+
'Database user does not have INSERT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1319+
);
12831320
}
12841321
?>
12851322
</tr>
@@ -1294,7 +1331,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12941331
if( $t_result != false ) {
12951332
print_test_result( GOOD );
12961333
} else {
1297-
print_test_result( BAD, true, 'Database user does not have UPDATE access to the database ( ' . db_error_msg() . ' )' );
1334+
print_test_result(
1335+
BAD,
1336+
true,
1337+
'Database user does not have UPDATE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1338+
);
12981339
}
12991340
?>
13001341
</tr>
@@ -1309,7 +1350,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
13091350
if( $t_result != false ) {
13101351
print_test_result( GOOD );
13111352
} else {
1312-
print_test_result( BAD, true, 'Database user does not have DELETE access to the database ( ' . db_error_msg() . ' )' );
1353+
print_test_result(
1354+
BAD,
1355+
true,
1356+
'Database user does not have DELETE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1357+
);
13131358
}
13141359
?>
13151360
</tr>

0 commit comments

Comments
 (0)