nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug #1835123 [security] fixed XSS vulnerability on login page, thanks to Tim Brown (Nth Dimension) for the advisory and to Sebastian for the fix

Browse Source
This commit is contained in:
Marc Delisle
2007-11-20 12:55:14 +00:00
parent e7b825acad
commit 47744bcdda
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
2.11.2.2 (2007-11-20)
- bug #1835123 [security] fixed XSS vulnerability on login page,
thanks to Tim Brown (Nth Dimension) for the advisory
and to Sebastian for the fix
2.11.2.1 (2007-11-11) 2.11.2.1 (2007-11-11)
- fixed possible SQL injection using database name - fixed possible SQL injection using database name
- fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group - fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group

2
libraries/auth/cookie.auth.lib.php
View File

@@ -233,7 +233,7 @@ if (top != self) {
<fieldset class="tblFooters"> <fieldset class="tblFooters">
<input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" /> <input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" />
<input type="hidden" name="lang" value="<?php echo $GLOBALS['lang']; ?>" /> <input type="hidden" name="lang" value="<?php echo $GLOBALS['lang']; ?>" />
<input type="hidden" name="convcharset" value="<?php echo $GLOBALS['convcharset']; ?>" /> <input type="hidden" name="convcharset" value="<?php echo htmlspecialchars($GLOBALS['convcharset'], ENT_QUOTES); ?>" />
<?php <?php
if (!empty($GLOBALS['target'])) { if (!empty($GLOBALS['target'])) {
echo ' <input type="hidden" name="target" value="' . htmlspecialchars($GLOBALS['target']) . '" />' . "\n"; echo ' <input type="hidden" name="target" value="' . htmlspecialchars($GLOBALS['target']) . '" />' . "\n";