protection against cross-frame scripting

2008-07-24 17:12:32 +00:00
parent 37b3fbb8e3
commit 152a7342fd
4 changed files with 36 additions and 0 deletions
--- a/2
+++ b/2
@@ -93,6 +93,8 @@ danbarry
 - patch #2020630 [export] Safari and timedate, thanks to Sebastian Mendel,
  Isaac Bennetch and Jürgen Wind 
 - bug #2022182 [import, export] Import/Export fails because of Mac files
+- [security] protection against cross-frame scripting and
+  new directive AllowThirdPartyFraming, thanks to YGN Ethical Hacker Group

 2.11.7.1 (2008-07-15)
 - bug [security] XSRF/CSRF by manipulating the db,
--- a/Documentation.html
+++ b/Documentation.html
@@ -577,6 +577,11 @@ GRANT ALL PRIVILEGES ON user_base.* TO 'real_user'@localhost IDENTIFIED BY 'real
    You can set this parameter to <tt>TRUE</tt> to stop this message 
    from appearing.</dd>

+    <dt id="cfg_AllowThirdPartyFraming">$cfg['AllowThirdPartyFraming'] boolean</dt>
+    <dd>Setting this to <tt>true</tt> allows a page located on a different
+    domain to call phpMyAdmin inside a frame, and is a potential security
+    hole allowing cross-frame scripting attacks.</dd>
+
    <dt id="cfg_blowfish_secret">$cfg['blowfish_secret'] string</dt>
    <dd>The &quot;cookie&quot; auth_type uses blowfish
        algorithm to encrypt the password.<br />
--- a/libraries/config.default.php
+++ b/libraries/config.default.php
@@ -53,6 +53,14 @@ $cfg['PmaNoRelation_DisableWarning'] = false;
 */
 $cfg['SuhosinDisableWarning'] = false;

+/**
+ * Allows phpMyAdmin to be included from a document located on
+ * another domain; setting this to true is a potential security hole
+ *
+ * @global boolean $cfg['AllowThirdPartyFraming']
+ */
+$cfg['AllowThirdPartyFraming'] = false;
+
 /**
 * The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
 * at least one server configuration uses 'cookie' auth_type, enter here a
--- a/libraries/header_scripts.inc.php
+++ b/libraries/header_scripts.inc.php
@@ -13,6 +13,27 @@ if (! defined('PHPMYADMIN')) {
 */
 require_once './libraries/common.inc.php';

+
+// Cross-framing protection
+if ( false === $GLOBALS['cfg']['AllowThirdPartyFraming']) {
+?>
+<script type="text/javascript">
+try {
+    // can't access this if on a different domain
+    var topdomain = top.document.domain;
+    // double-check just for sure
+    if (topdomain != self.document.domain) {
+        alert("Redirecting...");
+        top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+    }
+}
+catch(e) {
+    alert("Redirecting... (error: " + e);
+    top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+}
+</script>
+<?php
+}
 // generate title
 $title = str_replace(
            array(