Skip to content

Commit ee92eb9

Browse files
committed
bug #4899 [security] CSRF vulnerability in setup
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
1 parent dba2af6 commit ee92eb9

9 files changed

+33
-24
lines changed

Diff for: ChangeLog

+3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
phpMyAdmin - ChangeLog
22
======================
33

4+
4.4.6.1 (Not yet released)
5+
- bug #4899 [security] CSRF vulnerability in setup
6+
47
4.4.6.0 (2015-05-07)
58
- bug #4890 webkitStorageInfo and webkitIndexedDB is deprecated
69
- bug #4892 Undefined variable: unique_conditions

Diff for: libraries/url_generating.lib.php

+1
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,7 @@ function PMA_URL_getCommon($params = array(), $encode = 'html', $divider = '?')
179179
if (isset($GLOBALS['server'])
180180
&& $GLOBALS['server'] != $GLOBALS['cfg']['ServerDefault']
181181
&& ! isset($params['server'])
182+
&& ! defined('PMA_SETUP')
182183
) {
183184
$params['server'] = $GLOBALS['server'];
184185
}

Diff for: setup/frames/form.inc.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@
1919

2020
require './libraries/config/setup.forms.php';
2121

22-
$formset_id = filter_input(INPUT_GET, 'formset');
23-
$mode = filter_input(INPUT_GET, 'mode');
22+
$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
23+
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
2424
if (! isset($forms[$formset_id])) {
2525
PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php!'));
2626
}

Diff for: setup/frames/index.inc.php

+5-6
Original file line numberDiff line numberDiff line change
@@ -174,12 +174,12 @@
174174
echo '<td>' . htmlspecialchars($cf->getServerDSN($id)) . '</td>';
175175
echo '<td style="white-space: nowrap">';
176176
echo '<small>';
177-
echo '<a href="?page=servers' . $separator
178-
. 'mode=edit' . $separator . 'id=' . $id . '">'
177+
echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
178+
. $separator . 'mode=edit' . $separator . 'id=' . $id . '">'
179179
. __('Edit') . '</a>';
180180
echo ' | ';
181-
echo '<a href="?page=servers' . $separator
182-
. 'mode=remove' . $separator . 'id=' . $id . '">'
181+
echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
182+
. $separator . 'mode=remove' . $separator . 'id=' . $id . '">'
183183
. __('Delete') . '</a>';
184184
echo '</small>';
185185
echo '</td>';
@@ -308,7 +308,6 @@
308308
echo '<a href="http://www.phpmyadmin.net/">' . __('phpMyAdmin homepage') . '</a>';
309309
echo '<a href="http://sourceforge.net/donate/index.php?group_id=23067">'
310310
. __('Donate') . '</a>';
311-
echo '<a href="?version_check=1' . $separator
312-
. 'token=' . $_SESSION[' PMA_token '] . '">'
311+
echo '<a href="' . PMA_URL_getCommon() . $separator . 'version_check=1">'
313312
. __('Check for latest version') . '</a>';
314313
echo '</div>';

Diff for: setup/frames/menu.inc.php

+4-3
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,11 @@
1010
exit;
1111
}
1212

13-
$formset_id = filter_input(INPUT_GET, 'formset');
13+
$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
1414

1515
$separator = PMA_URL_getArgSeparator('html');
1616
echo '<ul>';
17-
echo '<li><a href="index.php"'
17+
echo '<li><a href="index.php' . PMA_URL_getCommon() . '"'
1818
. ($formset_id === null ? ' class="active' : '')
1919
. '">' . __('Overview') . '</a></li>';
2020

@@ -28,7 +28,8 @@
2828
);
2929

3030
foreach ($formsets as $formset => $label) {
31-
echo '<li><a href="?page=form' . $separator . 'formset=' . $formset . '" '
31+
echo '<li><a href="' . PMA_URL_getCommon() . $separator . 'page=form'
32+
. $separator . 'formset=' . $formset . '" '
3233
. ($formset_id === $formset ? ' class="active' : '')
3334
. '">' . $label . '</a></li>';
3435
}

Diff for: setup/frames/servers.inc.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@
1919

2020
require './libraries/config/setup.forms.php';
2121

22-
$mode = filter_input(INPUT_GET, 'mode');
23-
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
22+
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
23+
$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
2424

2525
$cf = $GLOBALS['ConfigFile'];
2626
$server_exists = !empty($id) && $cf->get("Servers/$id") !== null;

Diff for: setup/index.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
*/
1313
require './lib/common.inc.php';
1414

15-
$page = filter_input(INPUT_GET, 'page');
15+
$page = isset($_GET['page']) ? $_GET['page'] : null;
1616
$page = preg_replace('/[^a-z]/', '', $page);
1717
if ($page === '') {
1818
$page = 'index';
@@ -23,7 +23,7 @@
2323
}
2424

2525
// Handle done action info
26-
$action_done = filter_input(INPUT_GET, 'action_done');
26+
$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null;
2727
$action_done = preg_replace('/[^a-z_]/', '', $action_done);
2828

2929
PMA_noCacheHeader();

Diff for: setup/lib/form_processing.lib.php

+10-7
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
*/
1616
function PMA_Process_formset(FormDisplay $form_display)
1717
{
18-
if (filter_input(INPUT_GET, 'mode') == 'revert') {
18+
if (isset($_GET['mode']) && $_GET['mode'] == 'revert') {
1919
// revert erroneous fields to their default values
2020
$form_display->fixErrors();
2121
PMA_generateHeader303();
@@ -35,10 +35,10 @@ function PMA_Process_formset(FormDisplay $form_display)
3535

3636
// form has errors, show warning
3737
$separator = PMA_URL_getArgSeparator('html');
38-
$page = filter_input(INPUT_GET, 'page');
39-
$formset = filter_input(INPUT_GET, 'formset');
38+
$page = isset($_GET['page']) ? $_GET['page'] : null;
39+
$formset = isset($_GET['formset']) ? $_GET['formset'] : null;
4040
$formset = $formset ? "{$separator}formset=$formset" : '';
41-
$formId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
41+
$formId = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
4242
if ($formId === null && $page == 'servers') {
4343
// we've just added a new server, get its id
4444
$formId = $form_display->getConfigFile()->getServerCount();
@@ -48,15 +48,18 @@ function PMA_Process_formset(FormDisplay $form_display)
4848
<div class="error">
4949
<h4><?php echo __('Warning') ?></h4>
5050
<?php echo __('Submitted form contains errors') ?><br />
51-
<a href="?page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
51+
<a href="<?php echo PMA_URL_getCommon() . $separator ?>
52+
page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
5253
<?php echo __('Try to revert erroneous fields to their default values')
5354
?>
5455
</a>
5556
</div>
5657
<?php $form_display->displayErrors() ?>
57-
<a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a>
58+
<a class="btn" href="index.php<?php echo PMA_URL_getCommon() ?>">
59+
<?php echo __('Ignore errors') ?></a>
5860
&nbsp;
59-
<a class="btn" href="?page=<?php echo $page . $formset . $formId
61+
<a class="btn" href="<?php echo PMA_URL_getCommon() . $separator ?>
62+
page=<?php echo $page . $formset . $formId
6063
. $separator ?>mode=edit"><?php echo __('Show form') ?></a>
6164
<?php
6265
}

Diff for: setup/validate.php

+4-2
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,10 @@
1616

1717
header('Content-type: application/json');
1818

19-
$vids = explode(',', filter_input(INPUT_POST, 'id'));
20-
$values = json_decode(filter_input(INPUT_POST, 'values'));
19+
$ids = isset($_POST['id']) ? $_POST['id'] : null;
20+
$vids = explode(',', $ids);
21+
$vals = isset($_POST['values']) ? $_POST['values'] : null;
22+
$values = json_decode($vals);
2123
if (!($values instanceof stdClass)) {
2224
PMA_fatalError(__('Wrong data'));
2325
}

0 commit comments

Comments
 (0)