From a0823be05aa5835f207c0838b9cca67d2d9a050a Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:39:09 -0400 Subject: [PATCH 1/4] XSS on table Print view --- tbl_printview.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_printview.php b/tbl_printview.php index 74b6818e4..8e8ce24d4 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -84,7 +84,7 @@ foreach ($the_tables as $key => $table) { } $counter++; echo '' . "\n"; - echo '

' . $table . '

' . "\n"; + echo '

' . htmlspecialchars($table) . '

' . "\n"; /** * Gets table informations From 4bd27166c314faa37cada91533b86377f4d4d214 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Thu, 7 Jul 2011 14:43:45 -0400 Subject: [PATCH 2/4] Another case of XSS --- tbl_printview.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_printview.php b/tbl_printview.php index 8e8ce24d4..ce007d163 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -69,7 +69,7 @@ if ($multi_tables) { $tbl_list .= (empty($tbl_list) ? '' : ', ') . PMA_backquote($table); } - echo ''. __('Show tables') . ': ' . $tbl_list . '' . "\n"; + echo ''. __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '' . "\n"; echo '
' . "\n"; } // end if From 951fb4dd79253a3aca8b6e386db77c1affcfc3a9 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:46:33 -0400 Subject: [PATCH 3/4] ChangeLog for PMASA-2011-9 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index fe7103128..49bb8947f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.3.2 (2011-07-XX) +- [security] Fixed XSS vulnerability, see PMASA-2011-9 + 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 From f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:50:37 -0400 Subject: [PATCH 4/4] Local file inclusion vulnerability --- ChangeLog | 1 + sql.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 49bb8947f..065f8411b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ phpMyAdmin - ChangeLog 3.4.3.2 (2011-07-XX) - [security] Fixed XSS vulnerability, see PMASA-2011-9 +- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 diff --git a/sql.php b/sql.php index 9b19174a4..eb9254ffd 100644 --- a/sql.php +++ b/sql.php @@ -719,7 +719,7 @@ if (0 == $num_rows || $is_affected) { parse_str($_REQUEST['transform_fields_list'], $edited_values); foreach($mime_map as $transformation) { - $include_file = $transformation['transformation']; + $include_file = PMA_securePath($transformation['transformation']); $column_name = $transformation['column_name']; $column_data = $edited_values[$column_name];