maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

[SECURITY] Information disclosure on database failures

Browse Source 
In case the database is not responding, e.g. due to "too many connections"
cut-off database credentials might be shown and system path be revealed.
In terms of security this is considered as information disclosure.
This commit is contained in:
Oliver Hader
2016-06-04 20:18:19 +02:00
parent 85f707af8a
commit 2e7133d619
2 changed files with 67 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/lib/class.FroxlorInstall.php
View File

@@ -296,7 +296,7 @@ class FroxlorInstall
$content .= $this->_status_message('begin', $this->_lng['install']['creating_configfile']);
$userdata = "<?php\n";
$userdata .= "//automatically generated userdata.inc.php for Froxlor\n";
$userdata .= "// automatically generated userdata.inc.php for Froxlor\n";
$userdata .= "\$sql['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n";
$userdata .= "\$sql['user']='" . addcslashes($this->_data['mysql_unpriv_user'], "'\\") . "';\n";
$userdata .= "\$sql['password']='" . addcslashes($this->_data['mysql_unpriv_pass'], "'\\") . "';\n";
@@ -305,6 +305,8 @@ class FroxlorInstall
$userdata .= "\$sql_root[0]['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n";
$userdata .= "\$sql_root[0]['user']='" . addcslashes($this->_data['mysql_root_user'], "'\\") . "';\n";
$userdata .= "\$sql_root[0]['password']='" . addcslashes($this->_data['mysql_root_pass'], "'\\") . "';\n";
$userdata .= "// enable debugging to browser in case of SQL errors\n";
$userdata .= "\$sql['debug'] = false;\n";
$userdata .= "?>";
// test if we can store the userdata.inc.php in ../lib