[security] XSS and SQL injection
This commit is contained in:
@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
|
|||||||
$Id$
|
$Id$
|
||||||
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
|
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
|
||||||
|
|
||||||
|
3.2.2.1 (2009-10-12)
|
||||||
|
- [security] XSS and SQL injection, thanks to Herman van Rink
|
||||||
|
|
||||||
3.2.2.0 (2009-09-13)
|
3.2.2.0 (2009-09-13)
|
||||||
- bug #2825293 [structure] Default value for a BIT column
|
- bug #2825293 [structure] Default value for a BIT column
|
||||||
- bug [display] Red arrows were reversed in the list of tables
|
- bug [display] Red arrows were reversed in the list of tables
|
||||||
@@ -393,6 +396,9 @@ danbarry
|
|||||||
- patch #2115966 [GUI] Checkboxes and IE 7, thanks to Martin - maschg
|
- patch #2115966 [GUI] Checkboxes and IE 7, thanks to Martin - maschg
|
||||||
- bug #1914066 [core] ForceSSL generates incorrectly escaped redirections
|
- bug #1914066 [core] ForceSSL generates incorrectly escaped redirections
|
||||||
|
|
||||||
|
2.11.9.6 (2009-10-12)
|
||||||
|
- [security] XSS and SQL injection, thanks to Herman van Rink
|
||||||
|
|
||||||
2.11.9.5 (2009-03-24)
|
2.11.9.5 (2009-03-24)
|
||||||
- [security] XSS vulnerability on export page
|
- [security] XSS vulnerability on export page
|
||||||
- [security] Insufficient output sanitizing when generating configuration file
|
- [security] Insufficient output sanitizing when generating configuration file
|
||||||
|
@@ -613,7 +613,7 @@ if ($cfgRelation['pdfwork'] && $num_tables > 0) { ?>
|
|||||||
<?php
|
<?php
|
||||||
while ($pages = @PMA_DBI_fetch_assoc($test_rs)) {
|
while ($pages = @PMA_DBI_fetch_assoc($test_rs)) {
|
||||||
echo ' <option value="' . $pages['page_nr'] . '">'
|
echo ' <option value="' . $pages['page_nr'] . '">'
|
||||||
. $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n";
|
. $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n";
|
||||||
} // end while
|
} // end while
|
||||||
PMA_DBI_free_result($test_rs);
|
PMA_DBI_free_result($test_rs);
|
||||||
unset($test_rs);
|
unset($test_rs);
|
||||||
|
@@ -387,7 +387,7 @@ foreach ($tables as $keyname => $each_table) {
|
|||||||
|
|
||||||
$row_count++;
|
$row_count++;
|
||||||
if ($table_is_view) {
|
if ($table_is_view) {
|
||||||
$hidden_fields[] = '<input type="hidden" name="views[]" value="' . $each_table['TABLE_NAME'] . '" />';
|
$hidden_fields[] = '<input type="hidden" name="views[]" value="' . htmlspecialchars($each_table['TABLE_NAME']) . '" />';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($each_table['TABLE_ROWS'] > 0) {
|
if ($each_table['TABLE_ROWS'] > 0) {
|
||||||
@@ -433,7 +433,7 @@ foreach ($tables as $keyname => $each_table) {
|
|||||||
<tr class="<?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
|
<tr class="<?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
|
||||||
<td align="center">
|
<td align="center">
|
||||||
<input type="checkbox" name="selected_tbl[]"
|
<input type="checkbox" name="selected_tbl[]"
|
||||||
value="<?php echo $each_table['TABLE_NAME']; ?>"
|
value="<?php echo htmlspecialchars($each_table['TABLE_NAME']); ?>"
|
||||||
id="checkbox_tbl_<?php echo $i; ?>"<?php echo $checked; ?> /></td>
|
id="checkbox_tbl_<?php echo $i; ?>"<?php echo $checked; ?> /></td>
|
||||||
<th><label for="checkbox_tbl_<?php echo $i; ?>"
|
<th><label for="checkbox_tbl_<?php echo $i; ?>"
|
||||||
title="<?php echo $alias; ?>"><?php echo $truename; ?></label>
|
title="<?php echo $alias; ?>"><?php echo $truename; ?></label>
|
||||||
|
@@ -270,7 +270,7 @@ if ($cfgRelation['pdfwork']) {
|
|||||||
if (isset($chpage) && $chpage == $curr_page['page_nr']) {
|
if (isset($chpage) && $chpage == $curr_page['page_nr']) {
|
||||||
echo ' selected="selected"';
|
echo ' selected="selected"';
|
||||||
}
|
}
|
||||||
echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>';
|
echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>';
|
||||||
} // end while
|
} // end while
|
||||||
echo "\n";
|
echo "\n";
|
||||||
?>
|
?>
|
||||||
@@ -429,12 +429,12 @@ function resetDrag() {
|
|||||||
echo "\n" . ' <td>'
|
echo "\n" . ' <td>'
|
||||||
. "\n" . ' <select name="c_table_' . $i . '[name]">';
|
. "\n" . ' <select name="c_table_' . $i . '[name]">';
|
||||||
foreach ($selectboxall AS $key => $value) {
|
foreach ($selectboxall AS $key => $value) {
|
||||||
echo "\n" . ' <option value="' . $value . '"';
|
echo "\n" . ' <option value="' . htmlspecialchars($value) . '"';
|
||||||
if ($value == $sh_page['table_name']) {
|
if ($value == $sh_page['table_name']) {
|
||||||
echo ' selected="selected"';
|
echo ' selected="selected"';
|
||||||
$tabExist[$_mtab] = TRUE;
|
$tabExist[$_mtab] = TRUE;
|
||||||
}
|
}
|
||||||
echo '>' . $value . '</option>';
|
echo '>' . htmlspecialchars($value) . '</option>';
|
||||||
} // end while
|
} // end while
|
||||||
echo "\n" . ' </select>'
|
echo "\n" . ' </select>'
|
||||||
. "\n" . ' </td>';
|
. "\n" . ' </td>';
|
||||||
@@ -462,7 +462,7 @@ function resetDrag() {
|
|||||||
echo "\n" . ' <td>'
|
echo "\n" . ' <td>'
|
||||||
. "\n" . ' <select name="c_table_' . $i . '[name]">';
|
. "\n" . ' <select name="c_table_' . $i . '[name]">';
|
||||||
foreach ($selectboxall AS $key => $value) {
|
foreach ($selectboxall AS $key => $value) {
|
||||||
echo "\n" . ' <option value="' . $value . '">' . $value . '</option>';
|
echo "\n" . ' <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>';
|
||||||
}
|
}
|
||||||
echo "\n" . ' </select>'
|
echo "\n" . ' </select>'
|
||||||
. "\n" . ' </td>';
|
. "\n" . ' </td>';
|
||||||
@@ -493,8 +493,8 @@ function resetDrag() {
|
|||||||
if (!empty($tabExist) && is_array($tabExist)) {
|
if (!empty($tabExist) && is_array($tabExist)) {
|
||||||
foreach ($tabExist AS $key => $value) {
|
foreach ($tabExist AS $key => $value) {
|
||||||
if (!$value) {
|
if (!$value) {
|
||||||
$_strtrans .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n";
|
$_strtrans .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n";
|
||||||
$_strname .= '<li>' . $key . '</li>' . "\n";
|
$_strname .= '<li>' . htmlspecialchars($key) . '</li>' . "\n";
|
||||||
$shoot = TRUE;
|
$shoot = TRUE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
16
pmd_pdf.php
16
pmd_pdf.php
@@ -23,10 +23,12 @@ if (isset($scale) && ! isset($createpage)) {
|
|||||||
|
|
||||||
$pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']);
|
$pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']);
|
||||||
$pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']);
|
$pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']);
|
||||||
|
$scale_q = PMA_sqlAddslashes($scale);
|
||||||
|
$pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number);
|
||||||
|
|
||||||
if (isset($exp)) {
|
if (isset($exp)) {
|
||||||
|
|
||||||
$sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'";
|
$sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'";
|
||||||
|
|
||||||
PMA_query_as_cu($sql,TRUE,PMA_DBI_QUERY_STORE);
|
PMA_query_as_cu($sql,TRUE,PMA_DBI_QUERY_STORE);
|
||||||
}
|
}
|
||||||
@@ -34,15 +36,15 @@ if (isset($scale) && ! isset($createpage)) {
|
|||||||
if (isset($imp)) {
|
if (isset($imp)) {
|
||||||
PMA_query_as_cu(
|
PMA_query_as_cu(
|
||||||
'UPDATE ' . $pma_table . ',' . $pmd_table .
|
'UPDATE ' . $pma_table . ',' . $pmd_table .
|
||||||
' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ',
|
' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ',
|
||||||
' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.'
|
' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale_q.'
|
||||||
WHERE
|
WHERE
|
||||||
' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name`
|
' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name`
|
||||||
AND
|
AND
|
||||||
' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name`
|
' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name`
|
||||||
AND
|
AND
|
||||||
' . $pmd_table . '.`db_name`=\''.$db.'\'
|
' . $pmd_table . '.`db_name`=\'' . PMA_sqlAddslashes($db) .'\'
|
||||||
AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE); }
|
AND pdf_page_number = ' . $pdf_page_number_q . ';',TRUE,PMA_DBI_QUERY_STORE); }
|
||||||
|
|
||||||
die("<script>alert('$strModifications');history.go(-2);</script>");
|
die("<script>alert('$strModifications');history.go(-2);</script>");
|
||||||
}
|
}
|
||||||
@@ -79,11 +81,11 @@ require_once './libraries/header_meta_style.inc.php';
|
|||||||
<select name="pdf_page_number">
|
<select name="pdf_page_number">
|
||||||
<?php
|
<?php
|
||||||
$table_info_result = PMA_query_as_cu('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).'
|
$table_info_result = PMA_query_as_cu('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).'
|
||||||
WHERE db_name = \''.$db.'\'');
|
WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'');
|
||||||
while($page = PMA_DBI_fetch_assoc($table_info_result))
|
while($page = PMA_DBI_fetch_assoc($table_info_result))
|
||||||
{
|
{
|
||||||
?>
|
?>
|
||||||
<option value="<?php echo $page['page_nr'] ?>"><?php echo $page['page_descr'] ?></option>
|
<option value="<?php echo $page['page_nr'] ?>"><?php echo htmlspecialchars($page['page_descr']) ?></option>
|
||||||
<?php
|
<?php
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
|
Reference in New Issue
Block a user