From 6d548f7d449b7d4b796949d10a503484f63eaf82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:20:15 +0200 Subject: [PATCH 01/23] Fix XSS on field_str in db_search.php. --- db_search.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db_search.php b/db_search.php index 751675db5..455aa61a1 100644 --- a/db_search.php +++ b/db_search.php @@ -355,7 +355,7 @@ $alter_select = + value="" /> From 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Tue, 17 Aug 2010 16:21:37 +0200 Subject: [PATCH 02/23] Fix XSS on delimiter in db_sql.php. --- db_sql.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db_sql.php b/db_sql.php index 2ac198bda..420561e81 100644 --- a/db_sql.php +++ b/db_sql.php @@ -37,7 +37,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer From 7f266483b827fb05a4be11663003418c2ef1c878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:23:09 +0200 Subject: [PATCH 03/23] Fix XSS on delimiter in tbl_sql.php. --- tbl_sql.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_sql.php b/tbl_sql.php index 5565d923b..f3c3aac6e 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -38,7 +38,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer From ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:31:03 +0200 Subject: [PATCH 04/23] Secure handling of sort_by and sort_order in server_databases.php. --- server_databases.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server_databases.php b/server_databases.php index 47037cc66..89571d107 100644 --- a/server_databases.php +++ b/server_databases.php @@ -342,11 +342,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '' . $strWithChecked . '' . "\n" - . '' . "\n" + . '' . "\n" . ' ' . $strCheckAll . ' / ' . "\n" - . '' . "\n" + . '' . "\n" . ' ' . $strUncheckAll . '' . "\n" . '' . $strWithChecked . '' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); From 533e10213590e7ccd83b98a5cd19ba1c3be119dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:33:30 +0200 Subject: [PATCH 05/23] Fix handling of unknown sort order. --- libraries/database_interface.lib.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index a7d9e72bb..3c0408d32 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -205,6 +205,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); From c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Tue, 17 Aug 2010 16:46:16 +0200 Subject: [PATCH 06/23] Limit list of correct values for sort order. --- server_databases.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/server_databases.php b/server_databases.php index 89571d107..5e6d0ecc4 100644 --- a/server_databases.php +++ b/server_databases.php @@ -22,7 +22,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } } if (isset($_REQUEST['sort_order']) From 00add5c43f594f80dab6304a5bb35d2e50540d2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:09:07 +0200 Subject: [PATCH 07/23] Add option to escape PMA_sanitize output. This is required when it is used in form values. --- libraries/sanitizing.lib.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 2b54bf197..890e4a287 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -19,7 +19,7 @@ * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -67,6 +67,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> From fa30188dde357426d339d0d7e29a3969f88d188a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Aug 2010 16:10:27 +0200 Subject: [PATCH 08/23] Escape html chars in form values. --- sql.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sql.php b/sql.php index 48988603e..15b1beb98 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> - + - - - - - - + + + + + + ' . "\n" .' ' . $strDoYouReally . '' From 25ac7de38c125d8067f42bab24212891389ac1e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 11:42:08 +0200 Subject: [PATCH 09/23] Document PMA_sanitize. --- libraries/sanitizing.lib.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 890e4a287..d17fc50dd 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -9,11 +9,20 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + *

+ * + * bar * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * From 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:05:32 +0200 Subject: [PATCH 10/23] Fix XSS on checkprivs. --- server_privileges.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server_privileges.php b/server_privileges.php index fd2796f2d..93cab9544 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -2150,7 +2150,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs // Offer to create a new user for the current database echo '
' . "\n" - . ' ' . "\n" + . ' ' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . $GLOBALS['strAddUser'] . '' . "\n" . '
' . "\n"; From 6028221d97efa2a7d56a61ab4c5750d1b2343619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:07:45 +0200 Subject: [PATCH 11/23] Fix XSS on dbname. --- server_privileges.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server_privileges.php b/server_privileges.php index 93cab9544..566401625 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1600,7 +1600,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' ' . htmlspecialchars($dbname) . ''; + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . ''; echo ' - ' . $GLOBALS['strTable'] . ' ' . htmlspecialchars($tablename) . ''; } else { echo ' ' . htmlspecialchars($dbname) . ''; @@ -1836,14 +1836,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs . ' '; printf($link_edit, urlencode($username), urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '' . "\n" . ' '; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { printf($link_revoke, urlencode($username), urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '' . "\n" From 7dc6cea06522b2d4af50934c983f3967540a4918 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:09:13 +0200 Subject: [PATCH 12/23] Fix XSS on tablename and pred_tablename. --- server_privileges.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server_privileges.php b/server_privileges.php index 566401625..b11a96fa5 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1923,7 +1923,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . $GLOBALS['strTable'] . ' ' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . " ]\n"; From cd205cc55a46e3dc0f8883966f5c854f842e1000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:12:09 +0200 Subject: [PATCH 13/23] Fix XSS on username. --- server_privileges.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/server_privileges.php b/server_privileges.php index b11a96fa5..0e1afece2 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1151,7 +1151,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); } @@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); } } @@ -1590,7 +1590,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' \'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'' . "\n"; @@ -1599,7 +1599,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' ' . htmlspecialchars($dbname) . ''; echo ' - ' . $GLOBALS['strTable'] . ' ' . htmlspecialchars($tablename) . ''; } else { @@ -1834,14 +1834,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '' . "\n" . ' '; - printf($link_edit, urlencode($username), + printf($link_edit, htmlspecialchars(urlencode($username)), urlencode($hostname), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '' . "\n" . ' '; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), + printf($link_revoke, htmlspecialchars(urlencode($username)), urlencode($hostname), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); From be0f47a93141e2950ad400b8d22a2a98512825c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:13:59 +0200 Subject: [PATCH 14/23] Fix XSS on hostname. --- server_privileges.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/server_privileges.php b/server_privileges.php index 0e1afece2..d43896bb3 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1151,7 +1151,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1591,7 +1591,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' \'' + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'' . "\n"; $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname)); @@ -1599,7 +1599,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' ' . htmlspecialchars($dbname) . ''; echo ' - ' . $GLOBALS['strTable'] . ' ' . htmlspecialchars($tablename) . ''; } else { @@ -1835,14 +1835,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo '' . "\n" . ' '; printf($link_edit, htmlspecialchars(urlencode($username)), - urlencode($hostname), + urlencode(htmlspecialchars($hostname)), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '' . "\n" . ' '; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { printf($link_revoke, htmlspecialchars(urlencode($username)), - urlencode($hostname), + urlencode(htmlspecialchars($hostname)), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } From 48e909660032ddcbc13172830761e363e7a64d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:31:54 +0200 Subject: [PATCH 15/23] Properly check validity of sort parameter. --- libraries/db_info.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 4f59baa47..1e5b401ad 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -213,7 +213,8 @@ if (! isset($sot_ready)) { ); // Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } From 05ca00e0a20d0eb4848d69bf7a1365df5bba872d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Wed, 18 Aug 2010 12:37:20 +0200 Subject: [PATCH 16/23] Do not assume that DefaultLang is escaped. --- setup/frames/index.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php index 1c93aee40..7807bf7e5 100644 --- a/setup/frames/index.inc.php +++ b/setup/frames/index.inc.php @@ -173,8 +173,7 @@ display_fieldset_top('', '', null, array('class' => 'simple')); $opts = array( 'doc' => $form_display->getDocLink('DefaultLang'), 'wiki' => $form_display->getWikiLink('DefaultLang'), - 'values' => array(), - 'values_escaped' => true); + 'values' => array()); foreach ($all_languages as $each_lang_key => $each_lang) { if (!file_exists($GLOBALS['lang_path'] . $each_lang[1] . '.inc.php')) { continue; From b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Thu, 19 Aug 2010 15:37:06 +0200 Subject: [PATCH 17/23] Revert "Do not assume that DefaultLang is escaped." This reverts commit 05ca00e0a20d0eb4848d69bf7a1365df5bba872d. There does not seem to be bug here. --- setup/frames/index.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php index 7807bf7e5..1c93aee40 100644 --- a/setup/frames/index.inc.php +++ b/setup/frames/index.inc.php @@ -173,7 +173,8 @@ display_fieldset_top('', '', null, array('class' => 'simple')); $opts = array( 'doc' => $form_display->getDocLink('DefaultLang'), 'wiki' => $form_display->getWikiLink('DefaultLang'), - 'values' => array()); + 'values' => array(), + 'values_escaped' => true); foreach ($all_languages as $each_lang_key => $each_lang) { if (!file_exists($GLOBALS['lang_path'] . $each_lang[1] . '.inc.php')) { continue; From d2e0e09e0d402555a6223f0b683fdbfa97821a63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 20 Aug 2010 10:38:32 +0200 Subject: [PATCH 18/23] Fix XSS with $cfg['SQP']['fmtType'] = 'text'. --- libraries/sqlparser.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 53f239a97..f844e2301 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2456,7 +2456,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= ''; From f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 20 Aug 2010 10:42:03 +0200 Subject: [PATCH 19/23] Fix XSS on error with very long query. --- libraries/common.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/common.lib.php b/libraries/common.lib.php index c62d51885..124a1dfa8 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -575,7 +575,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } From bf60ec82e948450ae18b9e66c48d27da55ebe860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 20 Aug 2010 11:19:28 +0200 Subject: [PATCH 20/23] Fix possible XSS on IIS redirect page. --- libraries/common.lib.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 124a1dfa8..4a9c78958 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -705,22 +705,23 @@ function PMA_mysqlDie($error_message = '', $the_query = '', function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '- - -' . "\n"; echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; - echo '' . "\n"; + echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; From 782b8b46be4f06c695ab713eeefbd75970358e2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 20 Aug 2010 11:31:11 +0200 Subject: [PATCH 21/23] Avoid information disclossure on error. --- error.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/error.php b/error.php index 674d08e0f..7e86ffb95 100644 --- a/error.php +++ b/error.php @@ -76,10 +76,14 @@ header('Content-Type: text/html; charset=' . $charset);

phpMyAdmin -

From 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 20 Aug 2010 11:35:42 +0200 Subject: [PATCH 22/23] Escape error message coming from MySQL to avoid XSS on bad parameters. --- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ 2 files changed, 4 insertions(+) diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 275458832..4750ee225 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index 913bce627..52f760140 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -406,6 +406,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } else { From d128f806057e752db082272fd5e5c2f7244821b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 20 Aug 2010 13:33:32 +0200 Subject: [PATCH 23/23] Changelog. --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 53adf966d..4183ff5bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ +3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker