Skip to content

Commit

Permalink
bug #4899 [security] CSRF vulnerability in setup
Browse files Browse the repository at this point in the history 
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information
@madhuracj
madhuracj committed May 12, 2015
1 parent a395665 commit fea1d39
Show file tree
Hide file tree
Showing 9 changed files with 30 additions and 24 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
View file
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================

4.0.10.10 (Not yet released)
- bug #4899 [security] CSRF vulnerability in setup

4.0.10.9 (2015-03-04)
- bug [security] Risk of BREACH attack, see PMASA-2015-1

Expand Down
1 change: 1 addition & 0 deletions libraries/url_generating.lib.php
View file
Expand Up @@ -228,6 +228,7 @@ function PMA_generate_common_url()
if (isset($GLOBALS['server'])
&& $GLOBALS['server'] != $GLOBALS['cfg']['ServerDefault']
&& ! isset($params['server'])
&& ! defined('PMA_SETUP')
) {
$params['server'] = $GLOBALS['server'];
}
Expand Down
4 changes: 2 additions & 2 deletions setup/frames/form.inc.php
View file
Expand Up @@ -19,8 +19,8 @@

require './libraries/config/setup.forms.php';

$formset_id = filter_input(INPUT_GET, 'formset');
$mode = filter_input(INPUT_GET, 'mode');
$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
if (! isset($forms[$formset_id])) {
PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php'));
}
Expand Down
4 changes: 2 additions & 2 deletions setup/frames/index.inc.php
View file
Expand Up @@ -144,8 +144,8 @@
<td><?php echo htmlspecialchars($cf->getServerDSN($id)) ?></td>
<td style="white-space: nowrap">
<small>
<a href="<?php echo "?page=servers{$separator}mode=edit{$separator}id=$id" ?>"><?php echo __('Edit') ?></a>
| <a href="<?php echo "?page=servers{$separator}mode=remove{$separator}id=$id" ?>"><?php echo __('Delete') ?></a>
<a href="<?php echo "?" . PMA_generate_common_url() . $separator . "page=servers{$separator}mode=edit{$separator}id=$id" ?>"><?php echo __('Edit') ?></a>
| <a href="<?php echo "?" . PMA_generate_common_url() . $separator . "page=servers{$separator}mode=remove{$separator}id=$id" ?>"><?php echo __('Delete') ?></a>
</small>
</td>
</tr>
Expand Down
14 changes: 7 additions & 7 deletions setup/frames/menu.inc.php
View file
Expand Up @@ -13,11 +13,11 @@
$separator = PMA_get_arg_separator('html');
?>
<ul>
<li><a href="index.php"><?php echo __('Overview') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Features"><?php echo __('Features') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Sql_queries"><?php echo __('SQL queries') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Navi_panel"><?php echo __('Navigation panel') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Main_panel"><?php echo __('Main panel') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Import"><?php echo __('Import') ?></a></li>
<li><a href="?page=form<?php echo $separator ?>formset=Export"><?php echo __('Export') ?></a></li>
<li><a href="index.php?<?php echo PMA_generate_common_url() ?>"><?php echo __('Overview') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Features"><?php echo __('Features') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Sql_queries"><?php echo __('SQL queries') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Navi_panel"><?php echo __('Navigation panel') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Main_panel"><?php echo __('Main panel') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Import"><?php echo __('Import') ?></a></li>
<li><a href="?page=form<?php echo $separator . PMA_generate_common_url() . $separator ?>formset=Export"><?php echo __('Export') ?></a></li>
</ul>
4 changes: 2 additions & 2 deletions setup/frames/servers.inc.php
View file
Expand Up @@ -19,8 +19,8 @@

require './libraries/config/setup.forms.php';

$mode = filter_input(INPUT_GET, 'mode');
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;

$cf = ConfigFile::getInstance();
$server_exists = !empty($id) && $cf->get("Servers/$id") !== null;
Expand Down
4 changes: 2 additions & 2 deletions setup/index.php
View file
Expand Up @@ -12,7 +12,7 @@
*/
require './lib/common.inc.php';

$page = filter_input(INPUT_GET, 'page');
$page = isset($_GET['page']) ? $_GET['page'] : null;
$page = preg_replace('/[^a-z]/', '', $page);
if ($page === '') {
$page = 'index';
Expand All @@ -23,7 +23,7 @@
}

// Handle done action info
$action_done = filter_input(INPUT_GET, 'action_done');
$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null;
$action_done = preg_replace('/[^a-z_]/', '', $action_done);

PMA_noCacheHeader();
Expand Down
14 changes: 7 additions & 7 deletions setup/lib/form_processing.lib.php
View file
Expand Up @@ -15,7 +15,7 @@
*/
function process_formset(FormDisplay $form_display)
{
if (filter_input(INPUT_GET, 'mode') == 'revert') {
if (isset($_GET['mode']) && $_GET['mode'] == 'revert') {
// revert erroneous fields to their default values
$form_display->fixErrors();
// drop post data
Expand All @@ -31,10 +31,10 @@ function process_formset(FormDisplay $form_display)
if ($form_display->hasErrors()) {
// form has errors, show warning
$separator = PMA_get_arg_separator('html');
$page = filter_input(INPUT_GET, 'page');
$formset = filter_input(INPUT_GET, 'formset');
$page = isset($_GET['page']) ? $_GET['page'] : null;
$formset = isset($_GET['formset']) ? $_GET['formset'] : null;
$formset = $formset ? "{$separator}formset=$formset" : '';
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
if ($id === null && $page == 'servers') {
// we've just added a new server, get it's id
$id = ConfigFile::getInstance()->getServerCount();
Expand All @@ -44,12 +44,12 @@ function process_formset(FormDisplay $form_display)
<div class="error">
<h4><?php echo __('Warning') ?></h4>
<?php echo __('Submitted form contains errors') ?><br />
<a href="?page=<?php echo $page . $formset . $id . $separator ?>mode=revert"><?php echo __('Try to revert erroneous fields to their default values') ?></a>
<a href="?page=<?php echo $page . $formset . $id . $separator . PMA_generate_common_url() . $separator ?>mode=revert"><?php echo __('Try to revert erroneous fields to their default values') ?></a>
</div>
<?php $form_display->displayErrors() ?>
<a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a>
<a class="btn" href="index.php?<?php echo PMA_generate_common_url() ?>"><?php echo __('Ignore errors') ?></a>
&nbsp;
<a class="btn" href="?page=<?php echo $page . $formset . $id . $separator ?>mode=edit"><?php echo __('Show form') ?></a>
<a class="btn" href="?page=<?php echo $page . $formset . $id . $separator . PMA_generate_common_url() . $separator ?>mode=edit"><?php echo __('Show form') ?></a>
<?php
} else {
// drop post data
Expand Down
6 changes: 4 additions & 2 deletions setup/validate.php
View file
Expand Up @@ -16,8 +16,10 @@

header('Content-type: application/json');

$vids = explode(',', filter_input(INPUT_POST, 'id'));
$values = json_decode(filter_input(INPUT_POST, 'values'));
$ids = isset($_POST['id']) ? $_POST['id'] : null;
$vids = explode(',', $ids);
$vals = isset($_POST['values']) ? $_POST['values'] : null;
$values = json_decode($vals);
if (!($values instanceof stdClass)) {
PMA_fatalError(__('Wrong data'));
}
Expand Down

0 comments on commit fea1d39

Please sign in to comment.