Skip to content

Commit c73ae3d

Browse files
committed
Fix XSS in install.php (CVE-2017-12061)
aLLy from ONSEC (https://twitter.com/IamSecurity) reported this vulnerability, allowing an attacker to inject arbitrary code through crafted forms variables. Sanitizing the database error message prior to output prevents the attack. Fixes #23146
1 parent 9b5b71d commit c73ae3d

File tree

1 file changed

+50
-10
lines changed

1 file changed

+50
-10
lines changed

Diff for: admin/install.php

+50-10
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
421421

422422
print_test_result( GOOD );
423423
} else {
424-
print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );
424+
print_test_result(
425+
BAD,
426+
true,
427+
'Does administrative user have access to the database? ( ' . string_attribute( db_error_msg() ) . ' )'
428+
);
425429
$t_version_info = null;
426430
}
427431
?>
@@ -441,7 +445,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
441445
$t_db_open = true;
442446
print_test_result( GOOD );
443447
} else {
444-
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
448+
print_test_result(
449+
BAD,
450+
false,
451+
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
452+
);
445453
}
446454
?>
447455
</tr>
@@ -793,9 +801,17 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
793801
}
794802

795803
if( $t_db_exists ) {
796-
print_test_result( BAD, false, 'Database already exists? ( ' . db_error_msg() . ' )' );
804+
print_test_result(
805+
BAD,
806+
false,
807+
'Database already exists? ( ' . string_attribute( db_error_msg() ) . ' )'
808+
);
797809
} else {
798-
print_test_result( BAD, true, 'Does administrative user have access to create the database? ( ' . db_error_msg() . ' )' );
810+
print_test_result(
811+
BAD,
812+
true,
813+
'Does administrative user have access to create the database? ( ' . string_attribute( db_error_msg() ) . ' )'
814+
);
799815
$t_install_state--; # db creation failed, allow user to re-enter user/password info
800816
}
801817
}
@@ -817,7 +833,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
817833
if( $t_result == true ) {
818834
print_test_result( GOOD );
819835
} else {
820-
print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );
836+
print_test_result(
837+
BAD,
838+
false,
839+
'Database user doesn\'t have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
840+
);
821841
}
822842
$g_db->Close();
823843
?>
@@ -1217,7 +1237,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12171237
if( $t_result == true ) {
12181238
print_test_result( GOOD );
12191239
} else {
1220-
print_test_result( BAD, false, 'Database user does not have access to the database ( ' . db_error_msg() . ' )' );
1240+
print_test_result(
1241+
BAD,
1242+
false,
1243+
'Database user does not have access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1244+
);
12211245
}
12221246
?>
12231247
</tr>
@@ -1232,7 +1256,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12321256
if( $t_result != false ) {
12331257
print_test_result( GOOD );
12341258
} else {
1235-
print_test_result( BAD, true, 'Database user does not have SELECT access to the database ( ' . db_error_msg() . ' )' );
1259+
print_test_result(
1260+
BAD,
1261+
true,
1262+
'Database user does not have SELECT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1263+
);
12361264
}
12371265
?>
12381266
</tr>
@@ -1247,7 +1275,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12471275
if( $t_result != false ) {
12481276
print_test_result( GOOD );
12491277
} else {
1250-
print_test_result( BAD, true, 'Database user does not have INSERT access to the database ( ' . db_error_msg() . ' )' );
1278+
print_test_result(
1279+
BAD,
1280+
true,
1281+
'Database user does not have INSERT access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1282+
);
12511283
}
12521284
?>
12531285
</tr>
@@ -1262,7 +1294,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12621294
if( $t_result != false ) {
12631295
print_test_result( GOOD );
12641296
} else {
1265-
print_test_result( BAD, true, 'Database user does not have UPDATE access to the database ( ' . db_error_msg() . ' )' );
1297+
print_test_result(
1298+
BAD,
1299+
true,
1300+
'Database user does not have UPDATE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1301+
);
12661302
}
12671303
?>
12681304
</tr>
@@ -1277,7 +1313,11 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
12771313
if( $t_result != false ) {
12781314
print_test_result( GOOD );
12791315
} else {
1280-
print_test_result( BAD, true, 'Database user does not have DELETE access to the database ( ' . db_error_msg() . ' )' );
1316+
print_test_result(
1317+
BAD,
1318+
true,
1319+
'Database user does not have DELETE access to the database ( ' . string_attribute( db_error_msg() ) . ' )'
1320+
);
12811321
}
12821322
?>
12831323
</tr>

0 commit comments

Comments
 (0)