The "foreach($_POST)" loop in editconfig.php imports
*any* variable into the scripts parameter space. This
is bad. A check is needed, which I implement by using
an array $allowed_params. Parameters are only imported
if their name is available in this array.
I also removed the explicit import of the parameters
(NEW_)DBUSER and (NEW_)DBPASS as they are redundant.
Finally I removed the chmod 0777 attempt and just issue
the error if the file (config.php) is not writable.
Attached is a diff against 2.61.1. If you need the
whole file I can upload that instead.
It is probably also a good idea to make sure that
INDEX_DIRECTORY is inside the user dir. I am currently
trying to figure out how this can be most easily done
(determining installation path and finding the
associated user and his dir, or maybe by checking file
ownership on one or more files and determining the user
dir from that).
By far the easiest solution to this problem is
introducing a meta config file (metaconfig.php) that
contains such parameters to limit the database admin's
Another proposal I have is the creation of a separate
installation admin (in contrast to the database admin)
that is only responsible for installation
administration. This would mean that editconfig.php is
moved to a different section that is only available to
the installation admin.
As discussed privately, I distiguish 5 security levels
in an installation like phpGedView:
1) root (box owner)
2) box user (installation owner)
3) installation admin (restricted by limits set by #2,
fe INDEX_DIRECTORY (and MEDIA_DIRECTORY when
impemented) in metaconfig.php)
4) database admin (only responsible for the
database(s), not for installation and upload paths etc.)
5) The user, either logged in or anonymous
Usually #2 and #3 will be the same user, but this is
not necessarily so.