From a65661deeaa88cea6eace3effa8d226439475959 Mon Sep 17 00:00:00 2001 From: slawomir-pryczek Date: Thu, 5 Oct 2017 13:18:45 +0200 Subject: [PATCH 1/2] * Fix for remote code execution * PHP7 warnings in DA code * Additional attributes support --- Library/Bootstrap.php | 2 +- Library/Data/Analysis.php | 13 ++++++++++--- View/Stats/Stats.phtml | 20 ++++++++++++++++++++ stats.php | 12 +++++++++++- 4 files changed, 42 insertions(+), 5 deletions(-) diff --git a/Library/Bootstrap.php b/Library/Bootstrap.php index b433c9e..df72fa3 100644 --- a/Library/Bootstrap.php +++ b/Library/Bootstrap.php @@ -4,7 +4,7 @@ header('Cache-Control: no-cache, must-revalidate'); # Constants declaration -define('CURRENT_VERSION', '1.3.0'); +define('CURRENT_VERSION', '1.3.1'); # PHP < 5.3 Compatibility if (defined('ENT_IGNORE') === false) { diff --git a/Library/Data/Analysis.php b/Library/Data/Analysis.php index 23db341..a741abf 100644 --- a/Library/Data/Analysis.php +++ b/Library/Data/Analysis.php @@ -71,9 +71,16 @@ public static function diff($array, $stats) # Diff for each key foreach ($stats as $key => $value) { - if (isset($array[$key])) { - $stats[$key] = $value - $array[$key]; - } + + if (!isset($array[$key])) + continue; + + # Make sure we're dealing with a real number + $v = $array[$key]; + if (!is_float($v) && !is_int($v)) + continue; + + $stats[$key] = $value - $v; } return $stats; diff --git a/View/Stats/Stats.phtml b/View/Stats/Stats.phtml index 7903a17..f1abe3a 100644 --- a/View/Stats/Stats.phtml +++ b/View/Stats/Stats.phtml @@ -222,6 +222,26 @@ if((isset($_REQUEST['server'])) && ($_ini->server($_REQUEST['server']))) Evicted unfetched + + +
+ Reclaimed fast + +
+
+ Reclaimed fast bytes + +
+
+ Reclaimed item passes + +
+
+ Reclaim item found + +
+ + get('file_path') . '*', GLOB_NOSORT); foreach ($files as $path) { - # Getting file last modification time + + # Only delete files which were created by us + if (strpos($path, ".mcatmp.txt") === false || strpos($path, "live_stats") === false) + continue; + + # Getting file last modification time $stats = @stat($path); # Deleting file older than 24 hours @@ -69,6 +74,11 @@ $live_stats_id = $_COOKIE['live_stats_id' . $hash]; } +# Prefix the file to not allow setting custom extension via cookie +# https://rstforums.com/forum/topic/85493-phpmemcachedadmin-122-remote-code-execution/ +$live_stats_id = str_replace(chr(0), "", $live_stats_id); +$live_stats_id = "{$live_stats_id}.mcatmp.txt"; + # Live stats dump file $file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id; From 3ddde54f279569e1043e179e54ceb1f7755e35e8 Mon Sep 17 00:00:00 2001 From: slawomir-pryczek Date: Fri, 6 Oct 2017 10:01:20 +0200 Subject: [PATCH 2/2] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 92a5f5d..a6a1f52 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # PHPMemcachedAdmin # +PHPMemcachedAdmin contains critical security bug (up to, and including v 1.3.0) which allows for remote code execution. This repository is aimed to increase PMA security by fixing this bug and (optionally) adding login option. + ### Graphic stand-alone administration for memcached to monitor and debug purpose ### This program allows to see in **real-time** (top-like) or from the start of the server, **stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command**, as well as **server stats** (network, items, server version) with googlecharts and **server internal configuration** @@ -45,4 +47,4 @@ Unzip/Untar & Give files permissions You have to give **Read & Execute right to all files**, and **Read, Write & Execute to configuration files and temporary directory**. -More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/ \ No newline at end of file +More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/