Skip to content

Commit 6d47c04

Browse files
committed
Fix XSS in install.php
This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). The parameters are now properly sanitized before being displayed. Fixes #17938
1 parent 69c2d28 commit 6d47c04

File tree

1 file changed

+21
-21
lines changed

1 file changed

+21
-21
lines changed

Diff for: admin/install.php

+21-21
Original file line numberDiff line numberDiff line change
@@ -355,7 +355,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
355355
# due to a bug in ADODB, this call prompts warnings, hence the @
356356
# the check only works on mysql if the database is open
357357
$t_version_info = @$g_db->ServerInfo();
358-
echo '<br /> Running ' . $f_db_type . ' version ' . $t_version_info['description'];
358+
echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . $t_version_info['description'];
359359
?>
360360
</td>
361361
<?php
@@ -444,7 +444,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
444444
Hostname (for Database Server)
445445
</td>
446446
<td>
447-
<input name="hostname" type="textbox" value="<?php echo $f_hostname?>"></input>
447+
<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
448448
</td>
449449
</tr>
450450
<?php
@@ -456,7 +456,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
456456
Username (for Database)
457457
</td>
458458
<td>
459-
<input name="db_username" type="textbox" value="<?php echo $f_db_username?>"></input>
459+
<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
460460
</td>
461461
</tr>
462462
<?php
@@ -480,7 +480,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
480480
Database name (for Database)
481481
</td>
482482
<td>
483-
<input name="database_name" type="textbox" value="<?php echo $f_database_name?>"></input>
483+
<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
484484
</td>
485485
</tr>
486486
<?php
@@ -491,7 +491,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
491491
Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
492492
</td>
493493
<td>
494-
<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>"></input>
494+
<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
495495
</td>
496496
</tr>
497497

@@ -500,7 +500,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
500500
Admin Password (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
501501
</td>
502502
<td>
503-
<input name="admin_password" type="password" value="<?php echo $f_admin_password?>"></input>
503+
<input name="admin_password" type="password" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
504504
</td>
505505
</tr>
506506

@@ -754,13 +754,13 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
754754
/** @todo to be written */
755755
// must post data gathered to preserve it
756756
?>
757-
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
758-
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
759-
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
760-
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
761-
<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
762-
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
763-
<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
757+
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
758+
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
759+
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
760+
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
761+
<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
762+
<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
763+
<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
764764
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
765765
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
766766
<?php
@@ -986,14 +986,14 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
986986
<tr>
987987
<td bgcolor="#ffffff">Please correct failed checks</td>
988988
<td bgcolor="#ffffff">
989-
<input name="install" type="hidden" value="<?php echo $t_install_state?>"></input>
990-
<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
991-
<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
992-
<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
993-
<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
994-
<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
995-
<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
996-
<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
989+
<input name="install" type="hidden" value="<?php echo $t_install_state ?>"></input>
990+
<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
991+
<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
992+
<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
993+
<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
994+
<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
995+
<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
996+
<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
997997
<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
998998
<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
999999
<input name="retry" type="submit" class="button" value="Retry"></input>

0 commit comments

Comments
 (0)