Skip to content

Commit

Permalink
DB Credentials leak in upgrade_unattended.php
Browse files Browse the repository at this point in the history 
Retrieve credentials from Mantis system configuration instead of
accepting them from POST parameters.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Fixes #17877

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>
  • Loading branch information
@mantis @dregad
mantis authored and dregad committed Nov 29, 2014
1 parent a177fae commit 7c7c2ac
Showing 1 changed file with 7 additions and 12 deletions.
19 changes: 7 additions & 12 deletions admin/upgrade_unattended.php
View file
Expand Up @@ -95,27 +95,22 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
}

# read control variables with defaults
$f_hostname = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );
$f_db_type = gpc_get( 'db_type', config_get( 'db_type', '' ) );
$f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtrack' ) );
$f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
$f_db_password = gpc_get( 'db_password', config_get( 'db_password', '' ) );
$f_db_exists = gpc_get_bool( 'db_exists', false );
$t_db_type = config_get_global( 'db_type' );

# install the tables
if( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
!file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $f_db_type . '.inc.php' ) ) {
echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
if( !preg_match( '/^[a-zA-Z0-9_]+$/', $t_db_type ) ||
!file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $t_db_type . '.inc.php' ) ) {
echo 'Invalid db type ' . htmlspecialchars( $t_db_type ) . '.';
exit;
}

$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
$GLOBALS['g_db_type'] = $t_db_type; # database_api references this
require_once( dirname( __FILE__ ) . '/schema.php' );
$g_db = ADONewConnection( $f_db_type );
$g_db = ADONewConnection( $t_db_type );

echo "\nPost 1.0 schema changes\n";
echo 'Connecting to database... ';
$t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
$t_result = @$g_db->Connect( config_get_global( 'hostname' ), config_get_global( 'db_username' ), config_get_global( 'db_password' ), config_get_global( 'database_name' ) );

if( false == $t_result ) {
echo 'Failed.' . "\n";
Expand Down

0 comments on commit 7c7c2ac

Please sign in to comment.