Skip to content
Permalink
Browse files

Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes #23146

Backported from c73ae3d
  • Loading branch information...
dregad committed Aug 1, 2017
1 parent b78fd04 commit 17f9b94f031ba93ae2a727bca0e68458ecd08fb0
Showing with 57 additions and 12 deletions.
  1. +57 −12 admin/install.php
@@ -442,7 +442,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
# the check only works on mysql if the database is open
$t_version_info = @$g_db->ServerInfo();
} else {
print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Does administrative user have access to the database? ( ' . string_attribute( db_error_msg() ) . ' )'
);
$t_version_info = null;
}
?>
@@ -469,7 +473,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
print_test_result( GOOD );
}
} else {
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
@@ -791,7 +799,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( !$t_rs ) {
$t_result = false;
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
);
$t_install_state--; # db creation failed, allow user to re-enter user/password info
} else {
print_test_result( GOOD );
@@ -814,9 +826,18 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
}
if( $t_db_exists ) {
print_test_result( BAD, false, 'Database already exists? ( ' . db_error_msg() . ' )' );
} else {
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database already exists? ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
else {
print_test_result(
BAD,
true,
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
);
$t_install_state--; # db creation failed, allow user to re-enter user/password info
}
}
@@ -847,7 +868,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result == true ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
$g_db->Close();
?>
@@ -1242,7 +1267,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result == true ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, false, 'Database user does not have access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
false,
'Database user does not have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
if( $f_db_type == 'db2' ) {
@@ -1264,7 +1293,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have SELECT access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have SELECT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
@@ -1279,7 +1312,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have INSERT access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have INSERT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
@@ -1294,7 +1331,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have UPDATE access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have UPDATE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>
@@ -1309,7 +1350,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
if( $t_result != false ) {
print_test_result( GOOD );
} else {
print_test_result( BAD, true, 'Database user does not have DELETE access to the database ( ' . db_error_msg() . ' )' );
print_test_result(
BAD,
true,
'Database user does not have DELETE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
);
}
?>
</tr>

0 comments on commit 17f9b94

Please sign in to comment.
You can’t perform that action at this time.