Fix for remote code execution

Library/Bootstrap.php

@@ -4,7 +4,7 @@
 header('Cache-Control: no-cache, must-revalidate');
 
 # Constants declaration
-define('CURRENT_VERSION', '1.3.0');
+define('CURRENT_VERSION', '1.3.1');
 
 # PHP < 5.3 Compatibility
 if (defined('ENT_IGNORE') === false) {

Library/Data/Analysis.php

@@ -71,9 +71,16 @@ public static function diff($array, $stats)
 
         # Diff for each key
         foreach ($stats as $key => $value) {
-            if (isset($array[$key])) {
-                $stats[$key] = $value - $array[$key];
-            }
+
+			if (!isset($array[$key]))
+            	continue;
+
+            # Make sure we're dealing with a real number
+            $v = $array[$key];
+            if (!is_float($v) && !is_int($v))
+            	continue;
+
+            $stats[$key] = $value - $v;
         }
 
         return $stats;

README.md

@@ -1,5 +1,7 @@
 # PHPMemcachedAdmin #
 
+PHPMemcachedAdmin contains critical security bug (up to, and including v 1.3.0) which allows for remote code execution. This repository is aimed to increase PMA security by fixing this bug and (optionally) adding login option.
+
 ### Graphic stand-alone administration for memcached to monitor and debug purpose ###
 
 This program allows to see in **real-time** (top-like) or from the start of the server, **stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command**, as well as **server stats** (network, items, server version) with googlecharts and  **server internal configuration**
@@ -45,4 +47,4 @@ Unzip/Untar & Give files permissions
 
 You have to give **Read & Execute right to all files**, and **Read, Write & Execute to configuration files and temporary directory**.
 
-More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/
+More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/

View/Stats/Stats.phtml

@@ -222,6 +222,26 @@ if((isset($_REQUEST['server'])) && ($_ini->server($_REQUEST['server'])))
                 <span class="left setting help" title="Internal name : evicted_unfetched&#013;Items evicted from LRU that were never touched by get/incr/append/etc">Evicted unfetched</span>
                 <?php echo (isset($stats['evicted_unfetched'])) ? Library_Data_Analysis::hitResize($stats['evicted_unfetched']) : 'N/A on ' . $stats['version']; ?>
             </div>
+
+			<? if (isset($stats['*reclaimed_fast'])) { // Additional attributes for custom memcached build ?> 
+			<div class="line" style="background: #DDFFDD">
+				<span class="left setting help" title="Internal name : *reclaimed_fast&#013;Reclaimed fast from LRU, items that were reclaimed by memory scan">Reclaimed fast</span>
+				<?php echo (isset($stats['*reclaimed_fast'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #CCFFCC">
+				<span class="left setting help" title="Internal name : *reclaimed_fast_bytes&#013;Reclaimed fast from LRU, in bytes">Reclaimed fast bytes</span>
+				<?php echo (isset($stats['*reclaimed_fast_bytes'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast_bytes']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #DDFFDD">
+				<span class="left setting help" title="Internal name : *reclaim_item_passes&#013;Reclaimed item passes, number of times memory was scanned for old items">Reclaimed item passes</span>
+				<?php echo (isset($stats['*reclaim_item_passes'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_passes']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #CCFFCC">
+				<span class="left setting help" title="Internal name : *reclaim_item_found&#013;Number of old items found using memory scan">Reclaim item found</span>
+				<?php echo (isset($stats['*reclaim_item_found'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_found']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<? } ?>
+
         </div>
 
 <?php

stats.php

@@ -50,7 +50,12 @@
     # Cleaning temporary directory
     $files = glob($_ini->get('file_path') . '*', GLOB_NOSORT);
     foreach ($files as $path) {
-        # Getting file last modification time
+
+    	# Only delete files which were created by us
+    	if (strpos($path, ".mcatmp.txt") === false || strpos($path, "live_stats") === false)
+    		continue;
+
+    	# Getting file last modification time
         $stats = @stat($path);
 
         # Deleting file older than 24 hours
@@ -69,6 +74,11 @@
     $live_stats_id = $_COOKIE['live_stats_id' . $hash];
 }
 
+# Prefix the file to not allow setting custom extension via cookie 
+# https://rstforums.com/forum/topic/85493-phpmemcachedadmin-122-remote-code-execution/
+$live_stats_id = str_replace(chr(0), "", $live_stats_id);
+$live_stats_id = "{$live_stats_id}.mcatmp.txt";
+
 # Live stats dump file
 $file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;