[it is always nice to Cc the submitter :)]
On Friday 12 December 2008, Giuseppe Iuculano wrote:
> tags 508026 + patch
> thanks
>
[...]
> + // Import the language file
> + if (isset($_language)) {
> ++ // Sanitize $_language, see #508026
> ++ $_language = str_replace ('..','',$_language);
> + include("./lang/recoded/{$_language}.php");
> + $_SESSION['webdbLanguage'] = $_language;
> + }No, please do not apply/upload such kind of patches. There are two issues in phppgadmin which lead to this bug: a) register_globals=on appears to be required, and b) _language is not initialised. Attached patch fixes the issue. By initialising _language to null (so that isset returns false) the attack is invalidated. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
diff -urpN phppgadmin-4.2.orig/libraries/lib.inc.php phppgadmin-4.2/libraries/lib.inc.php --- phppgadmin-4.2.orig/libraries/lib.inc.php 2008-04-05 19:10:35.000000000 -0600 +++ phppgadmin-4.2/libraries/lib.inc.php 2008-12-15 17:02:40.000000000 -0600 @@ -94,6 +94,8 @@ $_reload_browser = true; } + $_language = null; + // Determine language file to import: // 1. Check for the language from a request var if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']]))
signature.asc
Description: This is a digitally signed message part.
