banananetwork
/
postfixadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix sql injection hole where value fields were not being escaped in the stored file - (thanks to Filippo Cavallarin)

Browse Source 
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1320 a1433add-5e2c-0410-b055-b7f2511e0802
postfixadmin-2.3
David Goodwin 13 years ago
parent d8895ccdc2
commit 9dd00fb0a7
1 changed files with 76 additions and 79 deletions
Show Stats Download Patch File Download Diff File

155
backup.php
Unescape Escape View File

@ -33,101 +33,98 @@ if ('pgsql'==$CONF['database_type'])
print '<p>Sorry: Backup is currently not supported for your DBMS.</p>'; print '<p>Sorry: Backup is currently not supported for your DBMS.</p>';
} }
/* /*
SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,adsrc SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,adsrc
AS def FROM pg_attribute,pg_class,pg_type,pg_attrdef AS def FROM pg_attribute,pg_class,pg_type,pg_attrdef
WHERE pg_class.oid=attrelid AND pg_type.oid=atttypid WHERE pg_class.oid=attrelid AND pg_type.oid=atttypid
AND attnum>0 AND pg_class.oid=adrelid AND adnum=attnum AND atthasdef='t' AND lower(relname)='admin' AND attnum>0 AND pg_class.oid=adrelid AND adnum=attnum AND atthasdef='t' AND lower(relname)='admin'
UNION SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,'' UNION SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,''
AS def FROM pg_attribute,pg_class,pg_type AS def FROM pg_attribute,pg_class,pg_type
WHERE pg_class.oid=attrelid WHERE pg_class.oid=attrelid
AND pg_type.oid=atttypid AND pg_type.oid=atttypid
AND attnum>0 AND attnum>0
AND atthasdef='f' AND atthasdef='f'
AND lower(relname)='admin' AND lower(relname)='admin'
$db = $_GET['db']; $db = $_GET['db'];
$cmd = "pg_dump -c -D -f /tix/miner/miner.sql -F p -N -U postgres $db"; $cmd = "pg_dump -c -D -f /tix/miner/miner.sql -F p -N -U postgres $db";
$res = `$cmd`; $res = `$cmd`;
// Alternate: $res = shell_exec($cmd); // Alternate: $res = shell_exec($cmd);
echo $res; echo $res;
*/ */
if ($_SERVER['REQUEST_METHOD'] == "GET") if ($_SERVER['REQUEST_METHOD'] == "GET")
{ {
umask (077); umask (077);
$path = (ini_get('upload_tmp_dir') != '') ? ini_get('upload_tmp_dir') : '/tmp'; $path = (ini_get('upload_tmp_dir') != '') ? ini_get('upload_tmp_dir') : '/tmp';
$filename = "postfixadmin-" . date ("Ymd") . "-" . getmypid() . ".sql"; $filename = "postfixadmin-" . date ("Ymd") . "-" . getmypid() . ".sql";
$backup = $path . DIRECTORY_SEPARATOR . $filename; $backup = $path . DIRECTORY_SEPARATOR . $filename;
$header = "#\n# Postfix Admin $version\n# Date: " . date ("D M j G:i:s T Y") . "\n#\n";
$header = "#\n# Postfix Admin $version\n# Date: " . date ("D M j G:i:s T Y") . "\n#\n"; if (!$fh = fopen ($backup, 'w'))
{
$tMessage = "<div class=\"error_msg\">Cannot open file ($backup)</div>";
include ("templates/header.php");
include ("templates/menu.php");
include ("templates/message.php");
include ("templates/footer.php");
}
else
{
fwrite ($fh, $header);
if (!$fh = fopen ($backup, 'w')) $tables = array(
{ 'admin',
$tMessage = "<div class=\"error_msg\">Cannot open file ($backup)</div>"; 'alias',
include ("templates/header.php"); 'alias_domain',
include ("templates/menu.php"); 'config',
include ("templates/message.php"); 'domain',
include ("templates/footer.php"); 'domain_admins',
} 'fetchmail',
else 'log',
{ 'mailbox',
fwrite ($fh, $header); 'quota',
'quota2',
$tables = array( 'vacation',
'admin', 'vacation_notification'
'alias', );
'alias_domain',
'config',
'domain',
'domain_admins',
'fetchmail',
'log',
'mailbox',
'quota',
'quota2',
'vacation',
'vacation_notification'
);
for ($i = 0 ; $i < sizeof ($tables) ; ++$i) for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
{ {
$result = db_query ("SHOW CREATE TABLE " . table_by_key($tables[$i])); $result = db_query ("SHOW CREATE TABLE " . table_by_key($tables[$i]));
if ($result['rows'] > 0) if ($result['rows'] > 0)
{
while ($row = db_array ($result['result']))
{ {
fwrite ($fh, "$row[1];\n\n"); while ($row = db_array ($result['result']))
{
fwrite ($fh, "$row[1];\n\n");
}
} }
} }
}
for ($i = 0 ; $i < sizeof ($tables) ; ++$i) for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
{ {
$result = db_query ("SELECT * FROM " . table_by_key($tables[$i])); $result = db_query ("SELECT * FROM " . table_by_key($tables[$i]));
if ($result['rows'] > 0) if ($result['rows'] > 0)
{
while ($row = db_assoc ($result['result']))
{ {
foreach ($row as $key=>$val) while ($row = db_assoc ($result['result']))
{ {
$fields[] = $key; $fields = array_keys($row);
$values[] = $val; $values = array_values($row);
} $values = array_map('escape_string', $values);
fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n"); $fields = "";
$fields = ""; $values = "";
$values = ""; }
} }
} }
} }
} header ("Content-Type: text/plain");
header ("Content-Type: text/plain"); header ("Content-Disposition: attachment; filename=\"$filename\"");
header ("Content-Disposition: attachment; filename=\"$filename\""); header ("Content-Transfer-Encoding: binary");
header ("Content-Transfer-Encoding: binary"); header ("Content-Length: " . filesize("$backup"));
header ("Content-Length: " . filesize("$backup")); header ("Content-Description: Postfix Admin");
header ("Content-Description: Postfix Admin"); $download_backup = fopen ("$backup", "r");
$download_backup = fopen ("$backup", "r"); unlink ("$backup");
unlink ("$backup"); fpassthru ($download_backup);
fpassthru ($download_backup);
} }
/* vim: set expandtab softtabstop=3 tabstop=3 shiftwidth=3: */ /* vim: set expandtab softtabstop=3 tabstop=3 shiftwidth=3: */
?> ?>

Write Preview
Loading…
Cancel
Save