Skip to content

Commit

Permalink
bug #4899 [security] CSRF vulnerability in setup
Browse files Browse the repository at this point in the history 
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information
@madhuracj
madhuracj committed May 13, 2015
1 parent 462e75e commit 9817bd4
Show file tree
Hide file tree
Showing 9 changed files with 33 additions and 24 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
View file
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================

4.3.13.1 (Not yet released)
- bug #4899 [security] CSRF vulnerability in setup

4.3.13.0 (2015-03-29)
- bug #4803 "Show hidden items" is sometimes hidden
- bug #4807 Breaks when sorting by multiple columns while using UNION
Expand Down
1 change: 1 addition & 0 deletions libraries/url_generating.lib.php
View file
Expand Up @@ -179,6 +179,7 @@ function PMA_URL_getCommon($params = array(), $encode = 'html', $divider = '?')
if (isset($GLOBALS['server'])
&& $GLOBALS['server'] != $GLOBALS['cfg']['ServerDefault']
&& ! isset($params['server'])
&& ! defined('PMA_SETUP')
) {
$params['server'] = $GLOBALS['server'];
}
Expand Down
4 changes: 2 additions & 2 deletions setup/frames/form.inc.php
View file
Expand Up @@ -19,8 +19,8 @@

require './libraries/config/setup.forms.php';

$formset_id = filter_input(INPUT_GET, 'formset');
$mode = filter_input(INPUT_GET, 'mode');
$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
if (! isset($forms[$formset_id])) {
PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php!'));
}
Expand Down
11 changes: 5 additions & 6 deletions setup/frames/index.inc.php
View file
Expand Up @@ -174,12 +174,12 @@
echo '<td>' . htmlspecialchars($cf->getServerDSN($id)) . '</td>';
echo '<td style="white-space: nowrap">';
echo '<small>';
echo '<a href="?page=servers' . $separator
. 'mode=edit' . $separator . 'id=' . $id . '">'
echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
. $separator . 'mode=edit' . $separator . 'id=' . $id . '">'
. __('Edit') . '</a>';
echo ' | ';
echo '<a href="?page=servers' . $separator
. 'mode=remove' . $separator . 'id=' . $id . '">'
echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
. $separator . 'mode=remove' . $separator . 'id=' . $id . '">'
. __('Delete') . '</a>';
echo '</small>';
echo '</td>';
Expand Down Expand Up @@ -308,7 +308,6 @@
echo '<a href="http://www.phpmyadmin.net/">' . __('phpMyAdmin homepage') . '</a>';
echo '<a href="http://sourceforge.net/donate/index.php?group_id=23067">'
. __('Donate') . '</a>';
echo '<a href="?version_check=1' . $separator
. 'token=' . $_SESSION[' PMA_token '] . '">'
echo '<a href="' . PMA_URL_getCommon() . $separator . 'version_check=1">'
. __('Check for latest version') . '</a>';
echo '</div>';
7 changes: 4 additions & 3 deletions setup/frames/menu.inc.php
View file
Expand Up @@ -10,11 +10,11 @@
exit;
}

$formset_id = filter_input(INPUT_GET, 'formset');
$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;

$separator = PMA_URL_getArgSeparator('html');
echo '<ul>';
echo '<li><a href="index.php"'
echo '<li><a href="index.php' . PMA_URL_getCommon() . '"'
. ($formset_id === null ? ' class="active' : '')
. '">' . __('Overview') . '</a></li>';

Expand All @@ -28,7 +28,8 @@
);

foreach ($formsets as $formset => $label) {
echo '<li><a href="?page=form' . $separator . 'formset=' . $formset . '" '
echo '<li><a href="' . PMA_URL_getCommon() . $separator . 'page=form'
. $separator . 'formset=' . $formset . '" '
. ($formset_id === $formset ? ' class="active' : '')
. '">' . $label . '</a></li>';
}
Expand Down
4 changes: 2 additions & 2 deletions setup/frames/servers.inc.php
View file
Expand Up @@ -19,8 +19,8 @@

require './libraries/config/setup.forms.php';

$mode = filter_input(INPUT_GET, 'mode');
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;

$cf = $GLOBALS['ConfigFile'];
$server_exists = !empty($id) && $cf->get("Servers/$id") !== null;
Expand Down
4 changes: 2 additions & 2 deletions setup/index.php
View file
Expand Up @@ -12,7 +12,7 @@
*/
require './lib/common.inc.php';

$page = filter_input(INPUT_GET, 'page');
$page = isset($_GET['page']) ? $_GET['page'] : null;
$page = preg_replace('/[^a-z]/', '', $page);
if ($page === '') {
$page = 'index';
Expand All @@ -23,7 +23,7 @@
}

// Handle done action info
$action_done = filter_input(INPUT_GET, 'action_done');
$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null;
$action_done = preg_replace('/[^a-z_]/', '', $action_done);

PMA_noCacheHeader();
Expand Down
17 changes: 10 additions & 7 deletions setup/lib/form_processing.lib.php
View file
Expand Up @@ -15,7 +15,7 @@
*/
function PMA_Process_formset(FormDisplay $form_display)
{
if (filter_input(INPUT_GET, 'mode') == 'revert') {
if (isset($_GET['mode']) && $_GET['mode'] == 'revert') {
// revert erroneous fields to their default values
$form_display->fixErrors();
PMA_generateHeader303();
Expand All @@ -35,10 +35,10 @@ function PMA_Process_formset(FormDisplay $form_display)

// form has errors, show warning
$separator = PMA_URL_getArgSeparator('html');
$page = filter_input(INPUT_GET, 'page');
$formset = filter_input(INPUT_GET, 'formset');
$page = isset($_GET['page']) ? $_GET['page'] : null;
$formset = isset($_GET['formset']) ? $_GET['formset'] : null;
$formset = $formset ? "{$separator}formset=$formset" : '';
$formId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$formId = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
if ($formId === null && $page == 'servers') {
// we've just added a new server, get its id
$formId = $form_display->getConfigFile()->getServerCount();
Expand All @@ -48,15 +48,18 @@ function PMA_Process_formset(FormDisplay $form_display)
<div class="error">
<h4><?php echo __('Warning') ?></h4>
<?php echo __('Submitted form contains errors') ?><br />
<a href="?page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
<a href="<?php echo PMA_URL_getCommon() . $separator ?>
page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
<?php echo __('Try to revert erroneous fields to their default values')
?>
</a>
</div>
<?php $form_display->displayErrors() ?>
<a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a>
<a class="btn" href="index.php<?php echo PMA_URL_getCommon() ?>">
<?php echo __('Ignore errors') ?></a>
&nbsp;
<a class="btn" href="?page=<?php echo $page . $formset . $formId
<a class="btn" href="<?php echo PMA_URL_getCommon() . $separator ?>
page=<?php echo $page . $formset . $formId
. $separator ?>mode=edit"><?php echo __('Show form') ?></a>
<?php
}
Expand Down
6 changes: 4 additions & 2 deletions setup/validate.php
View file
Expand Up @@ -16,8 +16,10 @@

header('Content-type: application/json');

$vids = explode(',', filter_input(INPUT_POST, 'id'));
$values = json_decode(filter_input(INPUT_POST, 'values'));
$ids = isset($_POST['id']) ? $_POST['id'] : null;
$vids = explode(',', $ids);
$vals = isset($_POST['values']) ? $_POST['values'] : null;
$values = json_decode($vals);
if (!($values instanceof stdClass)) {
PMA_fatalError(__('Wrong data'));
}
Expand Down

0 comments on commit 9817bd4

Please sign in to comment.