diff options
| author | Bo Peng | 2018-12-20 06:17:16 +0000 |
|---|---|---|
| committer | Bo Peng | 2018-12-20 06:17:16 +0000 |
| commit | 464ba77d9460b29025ec6454237916b3b35016ba (patch) | |
| tree | b122d7bb12b537b1ee7d1b3cb92d7eed9da896e2 | |
| parent | d620c09392b438ac750377cb1b3d7a60fb61d125 (diff) | |
Fix the vulnerability that pgpoolAdmin allow an attacker to
login without properly checking the authorization.
Once getting into PgpoolAdmin, the attacker can control
Pgpool-II. Also it may be possible to obtain the superuser
role of a PostgreSQL database.
PgPool Global Development Group would like to thank Fotios Rogkotis
of DarkMatter for finding the security issue and giving us the
detailed studies on it.
| -rw-r--r-- | login.php | 36 |
1 files changed, 27 insertions, 9 deletions
@@ -19,7 +19,7 @@ * is" without express or implied warranty. * * @author Ryuma Ando <ando@ecomas.co.jp> - * @copyright 2003-2013 PgPool Global Development Group + * @copyright 2003-2018 PgPool Global Development Group * @version CVS: $Id$ */ @@ -38,17 +38,21 @@ if (isset($_SESSION[SESSION_LOGIN_USER])) { // Do login if ($success == FALSE) { - if (isset($_POST['username'])) { - $username = $_POST['username']; + if (isset($_POST['username']) && $_POST['username'] != '') { + $username = trim($_POST['username']); } else { $tpl->display('login.tpl'); exit(); } - if (isset($_POST['password'])) { - $password = $_POST['password']; + if (isset($_POST['password']) && $_POST['password'] != '') { + $password = trim($_POST['password']); + } else { + $tpl->display('login.tpl'); + exit(); } + $md5username = md5($username); $md5password = md5($password); if (!file_exists(_PGPOOL2_PASSWORD_FILE)) { @@ -60,15 +64,29 @@ if ($success == FALSE) { // Check each rows in pcp.conf to search $fp = fopen(_PGPOOL2_PASSWORD_FILE, 'r'); - $regexp = "^{$username}:{$md5password}"; + $input = "{$md5username}:{$md5password}"; if ($fp != NULL) { - while (!feof($fp) ) { - $line = fgets($fp); - if (preg_match("/$regexp/", $line) ) { + while (!feof($fp)) { + + $line = trim(fgets($fp)); + $line_arr = explode(':', $line); + + // Ignore empty lines and comment lines + if (count($line_arr) != 2 || $line_arr[0] == '' || $line_arr[1] == '' || + strpos($line, '#') === 0) { + continue; + } + + $expected_username = md5($line_arr[0]); + $expected_password = $line_arr[1]; + $expected = "{$expected_username}:{$expected_password}"; + + if (hash_equals($expected, $input)) { $_SESSION[SESSION_LOGIN_USER] = $username; $_SESSION[SESSION_LOGIN_USER_PASSWORD] = $password; $success = TRUE; + break; } } } |