From f6f6ee3f1171addb166fa18e75a0b56599bf374c Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Sat, 9 Jul 2011 23:10:23 +0200 Subject: [PATCH 1/5] [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 --- ChangeLog | 1 + libraries/auth/swekey/swekey.auth.lib.php | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3816fdcb7..fab5ae813 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7 - [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 3.3.10.1 (2011-05-20) - [security] XSS on Tracking page diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index 2a790c4d5..bf6f4c879 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -143,7 +143,9 @@ function Swekey_auth_error() return "Internal Error: CA File $caFile not found"; $result = null; - parse_str($_SERVER['QUERY_STRING']); + $swekey_id = $_GET['swekey_id']; + $swekey_otp = $_GET['swekey_otp']; + if (isset($swekey_id)) { unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { @@ -166,7 +168,7 @@ function Swekey_auth_error() $result = $GLOBALS['strSwekeyNoKey']; if ($_SESSION['SWEKEY']['CONF_DEBUG']) { - $result .= "
".$swekey_id; + $result .= "
" . htmlspecialchars($swekey_id); } unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file } From 630b8260be45eb9b211f5d7628dbb9e5c1b05bc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Mon, 11 Jul 2011 14:15:19 +0200 Subject: [PATCH 2/5] Pass token along with swekey auth requests --- libraries/auth/swekey/swekey.auth.lib.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index bf6f4c879..197de1c1d 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -188,16 +188,16 @@ function Swekey_auth_error() Date: Fri, 22 Jul 2011 20:14:50 +0200 Subject: [PATCH 3/5] Backported fix for PMASA-2011-9 to 3.3 --- tbl_printview.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tbl_printview.php b/tbl_printview.php index c5b17ab27..2b38e24a4 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -72,7 +72,7 @@ if ($multi_tables) { $tbl_list .= (empty($tbl_list) ? '' : ', ') . PMA_backquote($table); } - echo ''. $strShowTables . ': ' . $tbl_list . '' . "\n"; + echo ''. $strShowTables . ': ' . htmlspecialchars($tbl_list) . '' . "\n"; echo '
' . "\n"; } // end if @@ -87,7 +87,7 @@ foreach ($the_tables as $key => $table) { } $counter++; echo '' . "\n"; - echo '

' . $table . '

' . "\n"; + echo '

' . htmlspecialchars($table) . '

' . "\n"; /** * Gets table informations From 2254a70fad144a2b6b3820c325be7304765e41d7 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 22 Jul 2011 20:15:08 +0200 Subject: [PATCH 4/5] Updated/fixed Changelog --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index fab5ae813..31c6e741c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,12 +5,15 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ +3.3.10.3 (not released) +- [security] Fixed XSS vulnerability, see PMASA-2011-9 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 + 3.3.10.2 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7 - [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 -- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 3.3.10.1 (2011-05-20) - [security] XSS on Tracking page From 6cb0ad8a0de2890ef9cf895804455d1d6206df72 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Sat, 23 Jul 2011 07:54:38 -0400 Subject: [PATCH 5/5] 3.3.10.3 release date --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 31c6e741c..54ef4ec01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,7 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ -3.3.10.3 (not released) +3.3.10.3 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12