diff --git a/ChangeLog b/ChangeLog
index 9c8961ff1..dadcb3e02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- [core] do not automatically set and create TempDir, it might lead to security
issue (thanks to Thijs Kinkhorst)
+2.11.9.6 (2009-10-12)
+- [security] XSS and SQL injection, thanks to Herman van Rink
+
2.11.9.5 (2009-03-24)
- [security] XSS vulnerability on export page
- [security] Insufficient output sanitizing when generating configuration file
diff --git a/db_operations.php b/db_operations.php
index ebac542af..7f37a3dd6 100644
--- a/db_operations.php
+++ b/db_operations.php
@@ -463,7 +463,7 @@ if ($cfgRelation['pdfwork'] && $num_tables > 0) { ?>
'
- . $pages['page_nr'] . ': ' . $pages['page_descr'] . '' . "\n";
+ . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '' . "\n";
} // end while
PMA_DBI_free_result($test_rs);
unset($test_rs);
diff --git a/pdf_pages.php b/pdf_pages.php
index 02673821a..29a4f1ae1 100644
--- a/pdf_pages.php
+++ b/pdf_pages.php
@@ -273,7 +273,7 @@ if ($cfgRelation['pdfwork']) {
if (isset($chpage) && $chpage == $curr_page['page_nr']) {
echo ' selected="selected"';
}
- echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '';
+ echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '';
} // end while
echo "\n";
?>
@@ -426,12 +426,12 @@ function resetDrag() {
echo "\n" . ' | '
. "\n" . ' '
. "\n" . ' | ';
@@ -459,7 +459,7 @@ function resetDrag() {
echo "\n" . ' '
. "\n" . ' '
. "\n" . ' | ';
@@ -490,8 +490,8 @@ function resetDrag() {
if (!empty($tabExist) && is_array($tabExist)) {
foreach ($tabExist AS $key => $value) {
if (!$value) {
- $_strtrans .= '' . "\n";
- $_strname .= '' . $key . '' . "\n";
+ $_strtrans .= '' . "\n";
+ $_strname .= '' . htmlspecialchars($key) . '' . "\n";
$shoot = TRUE;
}
}
diff --git a/pmd_pdf.php b/pmd_pdf.php
index eb6c13d81..125fb6925 100644
--- a/pmd_pdf.php
+++ b/pmd_pdf.php
@@ -23,10 +23,12 @@ if (isset($scale)) {
$pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']);
$pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']);
+ $scale_q = PMA_sqlAddslashes($scale);
+ $pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number);
if (isset($exp)) {
- $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'";
+ $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'";
PMA_query_as_cu($sql,TRUE,PMA_DBI_QUERY_STORE);
}
@@ -34,15 +36,16 @@ if (isset($scale)) {
if (isset($imp)) {
PMA_query_as_cu(
'UPDATE ' . $pma_table . ',' . $pmd_table .
- ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ',
- ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.'
+ ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ',
+ ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '. $scale_q .'
WHERE
' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name`
AND
' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name`
AND
- ' . $pmd_table . '.`db_name`=\''.$db.'\'
- AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE); }
+ ' . $pmd_table . '.`db_name`=\''. PMA_sqlAddslashes($db) .'\'
+ AND pdf_page_number = ' . $pdf_page_number_q . ';', TRUE, PMA_DBI_QUERY_STORE);
+ }
die("");
}
@@ -76,11 +79,11 @@ if (isset($scale)) {