diff --git a/ChangeLog b/ChangeLog
index a312bbad4..a4f18d06d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
$Id$
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
+2.11.7.1 ()
+- bug #1908719 [security] XSRF/CSRF by manipulating the db,
+ convcharset and collation_connection parameters,
+ thanks to YGN Ethical Hacker Group
+
2.11.7.0 (2008-06-23)
- bug #1908719 [interface] New field cannot be auto-increment and primary key
- [dbi] Incorrect interpretation for some mysqli field flags
diff --git a/db_create.php b/db_create.php
index ec00be636..e60d4755c 100644
--- a/db_create.php
+++ b/db_create.php
@@ -12,7 +12,7 @@ require_once './libraries/common.inc.php';
$js_to_run = 'functions.js';
require_once './libraries/mysql_charsets.lib.php';
-PMA_checkParameters(array('db'));
+PMA_checkParameters(array('new_db'));
/**
* Defines the url to return to in case of error in a sql statement
@@ -22,7 +22,7 @@ $err_url = 'main.php?' . PMA_generate_common_url();
/**
* Builds and executes the db creation sql query
*/
-$sql_query = 'CREATE DATABASE ' . PMA_backquote($db);
+$sql_query = 'CREATE DATABASE ' . PMA_backquote($new_db);
if (!empty($db_collation) && PMA_MYSQL_INT_VERSION >= 40101) {
list($db_charset) = explode('_', $db_collation);
if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
@@ -42,7 +42,8 @@ if (! $result) {
require_once './libraries/header.inc.php';
require_once './main.php';
} else {
- $message = $strDatabase . ' ' . htmlspecialchars($db) . ' ' . $strHasBeenCreated;
+ $message = $strDatabase . ' ' . htmlspecialchars($new_db) . ' ' . $strHasBeenCreated;
+ $GLOBALS['db'] = $new_db;
require_once './libraries/header.inc.php';
require_once './' . $cfg['DefaultTabDatabase'];
}
diff --git a/index.php b/index.php
index c3815bf47..c917b3bc6 100644
--- a/index.php
+++ b/index.php
@@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
var server = '';
var table = '';
var db = '';
+ var token = '';
var text_dir = '';
var pma_absolute_uri = '';
diff --git a/js/querywindow.js b/js/querywindow.js
index a07d16794..e089d75c8 100644
--- a/js/querywindow.js
+++ b/js/querywindow.js
@@ -75,6 +75,7 @@ function setTable(new_table) {
*
* @uses goTo()
* @uses opendb_url
+ * @uses token
* @uses db
* @uses server
* @uses table
@@ -92,6 +93,7 @@ function refreshMain(url) {
}
}
goTo(url + '?server=' + encodeURIComponent(server) +
+ '&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) +
@@ -103,6 +105,7 @@ function refreshMain(url) {
* reloads navigation frame
*
* @uses goTo()
+ * @uses token
* @uses db
* @uses server
* @uses table
@@ -112,6 +115,7 @@ function refreshMain(url) {
*/
function refreshNavigation() {
goTo('navigation.php?server=' + encodeURIComponent(server) +
+ '&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) +
@@ -185,8 +189,8 @@ function markDbTable(db, table)
/**
* sets current selected server, table and db (called from libraries/footer.inc.php)
*/
-function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) {
- //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )');
+function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) {
+ //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )');
if (new_server != server || new_lang != lang
|| new_collation_connection != collation_connection) {
// something important has changed
@@ -195,6 +199,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab
table = new_table;
collation_connection = new_collation_connection;
lang = new_lang;
+ token = new_token;
refreshNavigation();
} else if (new_db != db || new_table != table) {
// save new db and table
diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index 7bf04a032..d6cc39248 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -398,7 +398,8 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
- 'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target',
+ /* needed for direct access, see FAQ 1.34 */
+ 'db', 'table', 'target',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */
diff --git a/libraries/display_create_database.lib.php b/libraries/display_create_database.lib.php
index b5b5ba485..fcccecbbb 100644
--- a/libraries/display_create_database.lib.php
+++ b/libraries/display_create_database.lib.php
@@ -21,7 +21,7 @@ if ($is_create_db_priv) {
' . $strCreateNewDatabase . ' ' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?>
-
+
= 40101) {
require_once './libraries/mysql_charsets.lib.php';
diff --git a/libraries/footer.inc.php b/libraries/footer.inc.php
index e02c69ac6..81b090f06 100644
--- a/libraries/footer.inc.php
+++ b/libraries/footer.inc.php
@@ -74,7 +74,8 @@ if (window.parent.setAll) {
echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
echo PMA_escapeJsString($GLOBALS['server']) . "', '";
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
- echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>');
+ echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '";
+ echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>');
}