From ccc423291cb0e6f8c58849f71821e7425b7c030e Mon Sep 17 00:00:00 2001 From: Lukas Metzger Date: Thu, 29 Jun 2017 15:18:45 +0200 Subject: [PATCH] Fixing possible remote code executuin vulnerability introduced by commit 3bf4e2874a0120d99ae02a1a9f4a6e74094c7dc1 Thanks to RedTeam Pentesting for pointing out this issue --- api/install.php | 8 +++++--- config/config-default.php | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/api/install.php b/api/install.php index 9cac649..4e2c448 100644 --- a/api/install.php +++ b/api/install.php @@ -184,16 +184,18 @@ INSERT INTO options(name,value) VALUES ('schema_version', 4); "; try { - $db = new PDO("$input->type:dbname=$input->database;host=$input->host;port=$input->port", $input->user, $input->password); + $db = new PDO("$input->type:dbname=$input->database;host=$input->host;port=" . intval($input->port), $input->user, $input->password); } catch (PDOException $e) { $retval['status'] = "error"; $retval['message'] = serialize($e); } -$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + if (!isset($retval)) { + $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + $passwordHash = password_hash($input->userPassword, PASSWORD_DEFAULT); $queries = explode(";", $sql[$input->type]); @@ -220,7 +222,7 @@ if (!isset($retval)) { $configFile[] = '$config[\'db_user\'] = \'' . addslashes($input->user) . "';"; $configFile[] = '$config[\'db_password\'] = \'' . addslashes($input->password) . "';"; $configFile[] = '$config[\'db_name\'] = \'' . addslashes($input->database) . "';"; - $configFile[] = '$config[\'db_port\'] = ' . addslashes($input->port) . ";"; + $configFile[] = '$config[\'db_port\'] = ' . intval($input->port) . ";"; $configFile[] = '$config[\'db_type\'] = \'' . addslashes($input->type) . "';"; $retval['status'] = "success"; diff --git a/config/config-default.php b/config/config-default.php index e4f0d57..7e5154b 100644 --- a/config/config-default.php +++ b/config/config-default.php @@ -30,4 +30,4 @@ $config['nonce_lifetime'] = 15; //Number of rows in domain overview $config['domain_rows'] = 15; -include 'config-user.php'; +require 'config-user.php';