From 7c7c2ac731e8b59d4c412290e4333d1cb6792ad7 Mon Sep 17 00:00:00 2001
From: Paul Richards <paul@issue-track.org>
Date: Thu, 30 Oct 2014 22:53:24 +0000
Subject: [PATCH] DB Credentials leak in upgrade_unattended.php

Retrieve credentials from Mantis system configuration instead of
accepting them from POST parameters.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Fixes #17877

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>
---
 admin/upgrade_unattended.php | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/admin/upgrade_unattended.php b/admin/upgrade_unattended.php
index ad10859119..5a56aeb6d8 100644
--- a/admin/upgrade_unattended.php
+++ b/admin/upgrade_unattended.php
@@ -95,27 +95,22 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 }
 
 # read control variables with defaults
-$f_hostname = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );
-$f_db_type = gpc_get( 'db_type', config_get( 'db_type', '' ) );
-$f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtrack' ) );
-$f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
-$f_db_password = gpc_get( 'db_password', config_get( 'db_password', '' ) );
-$f_db_exists = gpc_get_bool( 'db_exists', false );
+$t_db_type = config_get_global( 'db_type' );
 
 # install the tables
-if( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
-	 !file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $f_db_type . '.inc.php' ) ) {
-	echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
+if( !preg_match( '/^[a-zA-Z0-9_]+$/', $t_db_type ) ||
+	!file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $t_db_type . '.inc.php' ) ) {
+	echo 'Invalid db type ' . htmlspecialchars( $t_db_type ) . '.';
 	exit;
 }
 
-$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
+$GLOBALS['g_db_type'] = $t_db_type; # database_api references this
 require_once( dirname( __FILE__ ) . '/schema.php' );
-$g_db = ADONewConnection( $f_db_type );
+$g_db = ADONewConnection( $t_db_type );
 
 echo "\nPost 1.0 schema changes\n";
 echo 'Connecting to database... ';
-$t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
+$t_result = @$g_db->Connect( config_get_global( 'hostname' ), config_get_global( 'db_username' ), config_get_global( 'db_password' ), config_get_global( 'database_name' ) );
 
 if( false == $t_result ) {
 	echo 'Failed.' . "\n";