From a65661deeaa88cea6eace3effa8d226439475959 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Thu, 5 Oct 2017 13:18:45 +0200
Subject: [PATCH 01/10] * Fix for remote code execution * PHP7 warnings in DA
 code * Additional attributes support

---
 Library/Bootstrap.php     |  2 +-
 Library/Data/Analysis.php | 13 ++++++++++---
 View/Stats/Stats.phtml    | 20 ++++++++++++++++++++
 stats.php                 | 12 +++++++++++-
 4 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/Library/Bootstrap.php b/Library/Bootstrap.php
index b433c9e..df72fa3 100644
--- a/Library/Bootstrap.php
+++ b/Library/Bootstrap.php
@@ -4,7 +4,7 @@
 header('Cache-Control: no-cache, must-revalidate');
 
 # Constants declaration
-define('CURRENT_VERSION', '1.3.0');
+define('CURRENT_VERSION', '1.3.1');
 
 # PHP < 5.3 Compatibility
 if (defined('ENT_IGNORE') === false) {
diff --git a/Library/Data/Analysis.php b/Library/Data/Analysis.php
index 23db341..a741abf 100644
--- a/Library/Data/Analysis.php
+++ b/Library/Data/Analysis.php
@@ -71,9 +71,16 @@ public static function diff($array, $stats)
 
         # Diff for each key
         foreach ($stats as $key => $value) {
-            if (isset($array[$key])) {
-                $stats[$key] = $value - $array[$key];
-            }
+            
+			if (!isset($array[$key]))
+            	continue;
+			
+            # Make sure we're dealing with a real number
+            $v = $array[$key];
+            if (!is_float($v) && !is_int($v))
+            	continue;
+            	
+            $stats[$key] = $value - $v;
         }
 
         return $stats;
diff --git a/View/Stats/Stats.phtml b/View/Stats/Stats.phtml
index 7903a17..f1abe3a 100644
--- a/View/Stats/Stats.phtml
+++ b/View/Stats/Stats.phtml
@@ -222,6 +222,26 @@ if((isset($_REQUEST['server'])) && ($_ini->server($_REQUEST['server'])))
                 <span class="left setting help" title="Internal name : evicted_unfetched&#013;Items evicted from LRU that were never touched by get/incr/append/etc">Evicted unfetched</span>
                 <?php echo (isset($stats['evicted_unfetched'])) ? Library_Data_Analysis::hitResize($stats['evicted_unfetched']) : 'N/A on ' . $stats['version']; ?>
             </div>
+
+			<? if (isset($stats['*reclaimed_fast'])) { // Additional attributes for custom memcached build ?> 
+			<div class="line" style="background: #DDFFDD">
+				<span class="left setting help" title="Internal name : *reclaimed_fast&#013;Reclaimed fast from LRU, items that were reclaimed by memory scan">Reclaimed fast</span>
+				<?php echo (isset($stats['*reclaimed_fast'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #CCFFCC">
+				<span class="left setting help" title="Internal name : *reclaimed_fast_bytes&#013;Reclaimed fast from LRU, in bytes">Reclaimed fast bytes</span>
+				<?php echo (isset($stats['*reclaimed_fast_bytes'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast_bytes']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #DDFFDD">
+				<span class="left setting help" title="Internal name : *reclaim_item_passes&#013;Reclaimed item passes, number of times memory was scanned for old items">Reclaimed item passes</span>
+				<?php echo (isset($stats['*reclaim_item_passes'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_passes']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<div class="line" style="background: #CCFFCC">
+				<span class="left setting help" title="Internal name : *reclaim_item_found&#013;Number of old items found using memory scan">Reclaim item found</span>
+				<?php echo (isset($stats['*reclaim_item_found'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_found']) : 'N/A on ' . $stats['version']; ?>
+			</div>
+			<? } ?>
+			
         </div>
 
 <?php
diff --git a/stats.php b/stats.php
index d516550..550952d 100644
--- a/stats.php
+++ b/stats.php
@@ -50,7 +50,12 @@
     # Cleaning temporary directory
     $files = glob($_ini->get('file_path') . '*', GLOB_NOSORT);
     foreach ($files as $path) {
-        # Getting file last modification time
+        
+    	# Only delete files which were created by us
+    	if (strpos($path, ".mcatmp.txt") === false || strpos($path, "live_stats") === false)
+    		continue;
+		
+    	# Getting file last modification time
         $stats = @stat($path);
 
         # Deleting file older than 24 hours
@@ -69,6 +74,11 @@
     $live_stats_id = $_COOKIE['live_stats_id' . $hash];
 }
 
+# Prefix the file to not allow setting custom extension via cookie 
+# https://rstforums.com/forum/topic/85493-phpmemcachedadmin-122-remote-code-execution/
+$live_stats_id = str_replace(chr(0), "", $live_stats_id);
+$live_stats_id = "{$live_stats_id}.mcatmp.txt";
+
 # Live stats dump file
 $file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;
 

From 3ddde54f279569e1043e179e54ceb1f7755e35e8 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Fri, 6 Oct 2017 10:01:20 +0200
Subject: [PATCH 02/10] Update README.md

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 92a5f5d..a6a1f52 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 # PHPMemcachedAdmin #
 
+PHPMemcachedAdmin contains critical security bug (up to, and including v 1.3.0) which allows for remote code execution. This repository is aimed to increase PMA security by fixing this bug and (optionally) adding login option.
+
 ### Graphic stand-alone administration for memcached to monitor and debug purpose ###
 
 This program allows to see in **real-time** (top-like) or from the start of the server, **stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command**, as well as **server stats** (network, items, server version) with googlecharts and  **server internal configuration**
@@ -45,4 +47,4 @@ Unzip/Untar & Give files permissions
 
 You have to give **Read & Execute right to all files**, and **Read, Write & Execute to configuration files and temporary directory**.
 
-More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/
\ No newline at end of file
+More information in https://blog.elijaa.org/phpmemcachedadmin-installation-guide/

From dc209181f3977bea5a6d14c22747eaa6ca0cb0fc Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:10:41 +0200
Subject: [PATCH 03/10] Update Stats.phtml

---
 View/Stats/Stats.phtml | 24 ++----------------------
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/View/Stats/Stats.phtml b/View/Stats/Stats.phtml
index f1abe3a..3677ff0 100644
--- a/View/Stats/Stats.phtml
+++ b/View/Stats/Stats.phtml
@@ -221,27 +221,7 @@ if((isset($_REQUEST['server'])) && ($_ini->server($_REQUEST['server'])))
             <div class="line">
                 <span class="left setting help" title="Internal name : evicted_unfetched&#013;Items evicted from LRU that were never touched by get/incr/append/etc">Evicted unfetched</span>
                 <?php echo (isset($stats['evicted_unfetched'])) ? Library_Data_Analysis::hitResize($stats['evicted_unfetched']) : 'N/A on ' . $stats['version']; ?>
-            </div>
-
-			<? if (isset($stats['*reclaimed_fast'])) { // Additional attributes for custom memcached build ?> 
-			<div class="line" style="background: #DDFFDD">
-				<span class="left setting help" title="Internal name : *reclaimed_fast&#013;Reclaimed fast from LRU, items that were reclaimed by memory scan">Reclaimed fast</span>
-				<?php echo (isset($stats['*reclaimed_fast'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast']) : 'N/A on ' . $stats['version']; ?>
-			</div>
-			<div class="line" style="background: #CCFFCC">
-				<span class="left setting help" title="Internal name : *reclaimed_fast_bytes&#013;Reclaimed fast from LRU, in bytes">Reclaimed fast bytes</span>
-				<?php echo (isset($stats['*reclaimed_fast_bytes'])) ? Library_Data_Analysis::hitResize($stats['*reclaimed_fast_bytes']) : 'N/A on ' . $stats['version']; ?>
-			</div>
-			<div class="line" style="background: #DDFFDD">
-				<span class="left setting help" title="Internal name : *reclaim_item_passes&#013;Reclaimed item passes, number of times memory was scanned for old items">Reclaimed item passes</span>
-				<?php echo (isset($stats['*reclaim_item_passes'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_passes']) : 'N/A on ' . $stats['version']; ?>
-			</div>
-			<div class="line" style="background: #CCFFCC">
-				<span class="left setting help" title="Internal name : *reclaim_item_found&#013;Number of old items found using memory scan">Reclaim item found</span>
-				<?php echo (isset($stats['*reclaim_item_found'])) ? Library_Data_Analysis::hitResize($stats['*reclaim_item_found']) : 'N/A on ' . $stats['version']; ?>
-			</div>
-			<? } ?>
-			
+            </div>			
         </div>
 
 <?php
@@ -568,4 +548,4 @@ elseif((isset($_REQUEST['server'])) && ($cluster = $_ini->cluster($_REQUEST['ser
                 <?php echo Library_Data_Analysis::byteResize($stats['bytes_written']); ?>Bytes
             </div>
         </div>
-    </div>
\ No newline at end of file
+    </div>

From 05919ded44410d9bd642b9d011926c1081b93a67 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:12:54 +0200
Subject: [PATCH 04/10] Update Stats.phtml

---
 View/Stats/Stats.phtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/View/Stats/Stats.phtml b/View/Stats/Stats.phtml
index 3677ff0..0a9f8b9 100644
--- a/View/Stats/Stats.phtml
+++ b/View/Stats/Stats.phtml
@@ -221,7 +221,7 @@ if((isset($_REQUEST['server'])) && ($_ini->server($_REQUEST['server'])))
             <div class="line">
                 <span class="left setting help" title="Internal name : evicted_unfetched&#013;Items evicted from LRU that were never touched by get/incr/append/etc">Evicted unfetched</span>
                 <?php echo (isset($stats['evicted_unfetched'])) ? Library_Data_Analysis::hitResize($stats['evicted_unfetched']) : 'N/A on ' . $stats['version']; ?>
-            </div>			
+            </div>
         </div>
 
 <?php

From eb54691bf5ef609239babee4a39dff4af5459108 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:18:00 +0200
Subject: [PATCH 05/10] Update Analysis.php

---
 Library/Data/Analysis.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/Library/Data/Analysis.php b/Library/Data/Analysis.php
index a741abf..f659a76 100644
--- a/Library/Data/Analysis.php
+++ b/Library/Data/Analysis.php
@@ -71,14 +71,15 @@ public static function diff($array, $stats)
 
         # Diff for each key
         foreach ($stats as $key => $value) {
-            
-			if (!isset($array[$key]))
-            	continue;
-			
+            if (!isset($array[$key])) {
+                continue;
+	        }
+
             # Make sure we're dealing with a real number
             $v = $array[$key];
-            if (!is_float($v) && !is_int($v))
-            	continue;
+            if (!is_float($v) && !is_int($v)) {
+                continue;
+            }
             	
             $stats[$key] = $value - $v;
         }
@@ -323,4 +324,4 @@ public static function hitResize($value)
         }
         return sprintf('%.0f%s', $value, $unit);
     }
-}
\ No newline at end of file
+}

From 395bc79e036313df7675441aaf392e175f214bbf Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:19:21 +0200
Subject: [PATCH 06/10] Update stats.php

---
 stats.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/stats.php b/stats.php
index 550952d..21241fc 100644
--- a/stats.php
+++ b/stats.php
@@ -51,10 +51,11 @@
     $files = glob($_ini->get('file_path') . '*', GLOB_NOSORT);
     foreach ($files as $path) {
         
-    	# Only delete files which were created by us
-    	if (strpos($path, ".mcatmp.txt") === false || strpos($path, "live_stats") === false)
-    		continue;
-		
+        # Only delete files which were created by us
+        if (strpos($path, ".mcatmp.txt") === false || strpos($path, "live_stats") === false) {
+            continue;
+        }
+
     	# Getting file last modification time
         $stats = @stat($path);
 
@@ -162,4 +163,4 @@
         include 'View/Footer.phtml';
 
         break;
-}
\ No newline at end of file
+}

From 94535f77d9a2698d9e333f10b68519ae958071f2 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:26:03 +0200
Subject: [PATCH 07/10] Update Analysis.php

---
 Library/Data/Analysis.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Library/Data/Analysis.php b/Library/Data/Analysis.php
index f659a76..2cee6d8 100644
--- a/Library/Data/Analysis.php
+++ b/Library/Data/Analysis.php
@@ -73,7 +73,7 @@ public static function diff($array, $stats)
         foreach ($stats as $key => $value) {
             if (!isset($array[$key])) {
                 continue;
-	        }
+            }
 
             # Make sure we're dealing with a real number
             $v = $array[$key];

From 8b2b5e8368c8f3d05b6271763aff5b2568231f19 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:27:09 +0200
Subject: [PATCH 08/10] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a6a1f52..b66e756 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # PHPMemcachedAdmin #
 
-PHPMemcachedAdmin contains critical security bug (up to, and including v 1.3.0) which allows for remote code execution. This repository is aimed to increase PMA security by fixing this bug and (optionally) adding login option.
+PHPMemcachedAdmin contains critical security bug (up to, and including v 1.3.0) which allows for remote code execution. Version 1.3.1 has this security exploit fixed.
 
 ### Graphic stand-alone administration for memcached to monitor and debug purpose ###
 

From 79da1e88c5a153864f83b502383759f34166452d Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:30:26 +0200
Subject: [PATCH 09/10] Update Stats.phtml


From a0a76ef2cf6058fecdab6a3c0de91f826c597e15 Mon Sep 17 00:00:00 2001
From: slawomir-pryczek <pslawek83@o2.pl>
Date: Tue, 10 Oct 2017 15:36:28 +0200
Subject: [PATCH 10/10] fix ending lines

---
 Library/Data/Analysis.php | 2 +-
 View/Stats/Stats.phtml    | 2 +-
 stats.php                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Library/Data/Analysis.php b/Library/Data/Analysis.php
index 2cee6d8..7445f74 100644
--- a/Library/Data/Analysis.php
+++ b/Library/Data/Analysis.php
@@ -324,4 +324,4 @@ public static function hitResize($value)
         }
         return sprintf('%.0f%s', $value, $unit);
     }
-}
+}
\ No newline at end of file
diff --git a/View/Stats/Stats.phtml b/View/Stats/Stats.phtml
index 0a9f8b9..7903a17 100644
--- a/View/Stats/Stats.phtml
+++ b/View/Stats/Stats.phtml
@@ -548,4 +548,4 @@ elseif((isset($_REQUEST['server'])) && ($cluster = $_ini->cluster($_REQUEST['ser
                 <?php echo Library_Data_Analysis::byteResize($stats['bytes_written']); ?>Bytes
             </div>
         </div>
-    </div>
+    </div>
\ No newline at end of file
diff --git a/stats.php b/stats.php
index 21241fc..4315ed3 100644
--- a/stats.php
+++ b/stats.php
@@ -163,4 +163,4 @@
         include 'View/Footer.phtml';
 
         break;
-}
+}
\ No newline at end of file