fix: enhance security by implementing CSRF protection and using prepared statements for database operations

Daniel Neto · Daniel Neto · commit b3fa7869dcb9 · 2026-03-16T10:46:49.000-03:00
GHSA-2f9h-23f7-8gcx
diff --git a/install/.htaccess b/install/.htaccess
@@ -0,0 +1,5 @@
+# Defense-in-depth: prevent directory listing of the install directory.
+# Access control for checkConfiguration.php is enforced in PHP via a
+# session CSRF token (generated by index.php), so the endpoint works
+# correctly for remote installs while still blocking blind POST attacks.
+Options -Indexes
diff --git a/install/checkConfiguration.php b/install/checkConfiguration.php
@@ -4,6 +4,25 @@
     exit;
 }
 
+// CWE-306: Require a valid session CSRF token generated by install/index.php.
+// This prevents any direct (blind) POST from a remote attacker because the
+// token is only accessible to whoever loaded the install wizard in a browser.
+// CLI usage (php install/install.php) is exempt — it is already protected by
+// the isCommandLineInterface() guard at the top of install.php.
+if (php_sapi_name() !== 'cli') {
+    if (session_status() === PHP_SESSION_NONE) {
+        session_start();
+    }
+    $_installToken = isset($_SESSION['install_csrf_token']) ? $_SESSION['install_csrf_token'] : '';
+    if (empty($_installToken) ||
+        empty($_POST['install_csrf_token']) ||
+        !hash_equals($_installToken, $_POST['install_csrf_token'])) {
+        header('Content-Type: application/json');
+        echo json_encode(['error' => 'Invalid or missing install token. Please reload the install page and try again.']);
+        exit;
+    }
+}
+
 
 $installationVersion = "25.0";
 
@@ -117,12 +136,22 @@
 }
 
 error_log("Installation: ".__LINE__);
-$sql = "INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '" . $_POST['contactEmail'] . "', '" . md5($_POST['systemAdminPass']) . "', now(), now(), true)";
-
-try {
-    $mysqli->query($sql);
-} catch (Exception $exc) {
-    $obj->error = "Error deleting user: " . $mysqli->error;
+// CWE-89: Use a prepared statement to prevent SQL injection via contactEmail.
+// Also use the application's standard password hash (md5+whirlpool+sha1) so
+// the account works with the normal login flow instead of the legacy md5-only
+// fallback path.
+$hashedPass = md5(hash("whirlpool", sha1($_POST['systemAdminPass'])));
+$stmt = $mysqli->prepare("INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)");
+if ($stmt) {
+    $stmt->bind_param("ss", $_POST['contactEmail'], $hashedPass);
+    $stmt->execute();
+    if ($stmt->error) {
+        $obj->error = "Error inserting admin user: " . $stmt->error;
+        echo json_encode($obj);
+    }
+    $stmt->close();
+} else {
+    $obj->error = "Error preparing user insert: " . $mysqli->error;
     echo json_encode($obj);
 }
 
@@ -160,9 +189,13 @@
     $encoder = "{$_POST['webSiteRootURL']}Encoder/";
 }
 
+$safeWebSiteTitle  = $mysqli->real_escape_string($_POST['webSiteTitle']);
+$safeMainLanguage  = $mysqli->real_escape_string($_POST['mainLanguage']);
+$safeContactEmail  = $mysqli->real_escape_string($_POST['contactEmail']);
+$safeEncoder       = $mysqli->real_escape_string($encoder);
 $sql = "INSERT INTO configurations (id, video_resolution, users_id, version, webSiteTitle, language, contactEmail, encoderURL,  created, modified) "
         . " VALUES "
-        . " (1, '858:480', 1,'{$installationVersion}', '{$_POST['webSiteTitle']}', '{$_POST['mainLanguage']}', '{$_POST['contactEmail']}', '{$encoder}', now(), now())";
+        . " (1, '858:480', 1,'{$installationVersion}', '{$safeWebSiteTitle}', '{$safeMainLanguage}', '{$safeContactEmail}', '{$safeEncoder}', now(), now())";
  try {
     $mysqli->query($sql);
 } catch (Exception $exc) {
diff --git a/install/index.php b/install/index.php
@@ -2,6 +2,17 @@
 require_once '../objects/functions.php';
 require_once '../locale/function.php';
 //var_dump($_SERVER);exit;
+
+// Generate a one-time CSRF token for the install form.
+// checkConfiguration.php validates this token so that direct POST requests
+// (without first loading this page) are rejected.
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+if (empty($_SESSION['install_csrf_token'])) {
+    $_SESSION['install_csrf_token'] = bin2hex(random_bytes(32));
+}
+$_installCsrfToken = $_SESSION['install_csrf_token'];
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -443,7 +454,8 @@
                             mainLanguage: mainLanguage,
                             systemAdminPass: systemAdminPass,
                             contactEmail: contactEmail,
-                            createTables: createTables
+                            createTables: createTables,
+                            install_csrf_token: '<?php echo htmlspecialchars($_installCsrfToken, ENT_QUOTES, "UTF-8"); ?>'
                         },
                         type: 'post',
                         success: function (response) {
diff --git a/install/install.php b/install/install.php
@@ -1,58 +1,69 @@
-<?php
-require_once '../objects/functions.php';
-if (!isCommandLineInterface()) {
-    die('Command Line only');
-}
-if (file_exists("../videos/configuration.php")) {
-    die("Can not create configuration again: " . json_encode($_SERVER));
-}
-
-
-$databaseUser = "youphptube";
-$databasePass = "youphptube";
-if (version_compare(phpversion(), '7.2', '<')) {
-    $databaseUser = "root";
-}
-
-$webSiteRootURL = @$argv[1];
-$webSiteRootURL = preg_replace("/[^0-9a-z._\/:-]/i", "", trim($webSiteRootURL));
-$databaseUser = empty($argv[2]) ? $databaseUser : $argv[2];
-$databasePass = empty($argv[3]) ? $databasePass : $argv[3];
-$systemAdminPass = empty($argv[4]) ? "123" : $argv[4];
-$contactEmail = empty($argv[5]) ? "undefined@youremail.com" : $argv[5];
-if (!filter_var($webSiteRootURL, FILTER_VALIDATE_URL)) {
-    if (!empty($webSiteRootURL)) {
-        echo "Invalid Site URL ({$webSiteRootURL})\n";
-    }
-    echo "Enter Site URL\n";
-    @ob_flush();
-    $webSiteRootURL = trim(readline(""));
-    if (!filter_var($webSiteRootURL, FILTER_VALIDATE_URL)) {
-        die("Invalid Site URL ({$webSiteRootURL})\n");
-    }
-}
-
-$webSiteRootURL = rtrim($webSiteRootURL, '/') . '/';
-
-$_POST['systemRootPath'] = str_replace("install", "", getcwd());
-if (!is_dir($_POST['systemRootPath'])) {
-    $_POST['systemRootPath'] = "/var/www/html/YouPHPTube/";
-    if (!is_dir($_POST['systemRootPath'])) {
-        $_POST['systemRootPath'] = "/var/www/html/AVideo/";
-    }
-}
-
-
-$_POST['databaseHost'] = "localhost";
-$_POST['databaseUser'] = $databaseUser;
-$_POST['databasePass'] = $databasePass;
-$_POST['databasePort'] = "3306";
-$_POST['databaseName'] = "AVideo_". preg_replace("/[^0-9a-z]/i", "", parse_url($webSiteRootURL, PHP_URL_HOST));
-$_POST['createTables'] = 2;
-$_POST['contactEmail'] = $contactEmail;
-$_POST['systemAdminPass'] = $systemAdminPass;
-$_POST['mainLanguage'] = "en";
-$_POST['webSiteTitle'] = "AVideo";
-$_POST['webSiteRootURL'] = $webSiteRootURL;
-
-include './checkConfiguration.php';
+<?php
+require_once '../objects/functions.php';
+if (!isCommandLineInterface()) {
+    die('Command Line only');
+}
+if (file_exists("../videos/configuration.php")) {
+    die("Can not create configuration again: " . json_encode($_SERVER));
+}
+
+
+$databaseUser = "youphptube";
+$databasePass = "youphptube";
+if (version_compare(phpversion(), '7.2', '<')) {
+    $databaseUser = "root";
+}
+
+$webSiteRootURL = @$argv[1];
+$webSiteRootURL = preg_replace("/[^0-9a-z._\/:-]/i", "", trim($webSiteRootURL));
+$databaseUser = empty($argv[2]) ? $databaseUser : $argv[2];
+$databasePass = empty($argv[3]) ? $databasePass : $argv[3];
+if (empty($argv[4])) {
+    echo "Enter admin password (leave blank to generate a random one): ";
+    @ob_flush();
+    $systemAdminPass = trim(readline(""));
+    if (empty($systemAdminPass)) {
+        $systemAdminPass = bin2hex(random_bytes(8));
+        echo "Generated admin password: {$systemAdminPass}\n";
+        echo "IMPORTANT: Save this password now, it will not be shown again.\n";
+    }
+} else {
+    $systemAdminPass = $argv[4];
+}
+$contactEmail = empty($argv[5]) ? "undefined@youremail.com" : $argv[5];
+if (!filter_var($webSiteRootURL, FILTER_VALIDATE_URL)) {
+    if (!empty($webSiteRootURL)) {
+        echo "Invalid Site URL ({$webSiteRootURL})\n";
+    }
+    echo "Enter Site URL\n";
+    @ob_flush();
+    $webSiteRootURL = trim(readline(""));
+    if (!filter_var($webSiteRootURL, FILTER_VALIDATE_URL)) {
+        die("Invalid Site URL ({$webSiteRootURL})\n");
+    }
+}
+
+$webSiteRootURL = rtrim($webSiteRootURL, '/') . '/';
+
+$_POST['systemRootPath'] = str_replace("install", "", getcwd());
+if (!is_dir($_POST['systemRootPath'])) {
+    $_POST['systemRootPath'] = "/var/www/html/YouPHPTube/";
+    if (!is_dir($_POST['systemRootPath'])) {
+        $_POST['systemRootPath'] = "/var/www/html/AVideo/";
+    }
+}
+
+
+$_POST['databaseHost'] = "localhost";
+$_POST['databaseUser'] = $databaseUser;
+$_POST['databasePass'] = $databasePass;
+$_POST['databasePort'] = "3306";
+$_POST['databaseName'] = "AVideo_". preg_replace("/[^0-9a-z]/i", "", parse_url($webSiteRootURL, PHP_URL_HOST));
+$_POST['createTables'] = 2;
+$_POST['contactEmail'] = $contactEmail;
+$_POST['systemAdminPass'] = $systemAdminPass;
+$_POST['mainLanguage'] = "en";
+$_POST['webSiteTitle'] = "AVideo";
+$_POST['webSiteRootURL'] = $webSiteRootURL;
+
+include './checkConfiguration.php';
