XSS in MSIE using NUL byte, thanks to JPCERT.

2008-09-22 10:13:32 +00:00
parent f8d65ec564
commit 44f9f2f8b7
2 changed files with 8 additions and 0 deletions
--- a/3
+++ b/3
@@ -11,6 +11,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - [core] do not automatically set and create TempDir, it might lead to security
  issue (thanks to Thijs Kinkhorst)

+2.11.9.2 (2008-09-22)
+- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
+
 2.11.9.1 (2008-09-15)
 - [security] Code execution vulnerability, thanks to Norman Hippert

--- a/libraries/js_escape.lib.php
+++ b/libraries/js_escape.lib.php
@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
 * enclosed by <![CDATA[ ... ]]>
 * this requires only to escape ' with \' and end of script block
 *
+ * We also remove NUL byte as some browsers (namely MSIE) ignore it and
+ * it and inserting it anywhere inside </script would allow to pass this
+ * check.
+ *
 * @uses    strtr()
 * @uses    preg_replace()
 * @param   string  $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
 {
    return preg_replace('@</script@i', '</\' + \'script',
                        strtr($string, array(
+                                "\000" => '',
                                '\\' => '\\\\',
                                '\'' => '\\\'',
                                "\n" => '\n',