nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[security] XSS and SQL injection

Browse Source
This commit is contained in:
Marc Delisle
2009-10-12 21:47:40 +00:00
parent 14645a5035
commit 8ec5434999
5 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -55,6 +55,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #2872247 [interface] Failed opening required 'mysql_charsets.lib.php', thanks to CyberLeo Kitsana - cyberleo - bug #2872247 [interface] Failed opening required 'mysql_charsets.lib.php', thanks to CyberLeo Kitsana - cyberleo
- bug [structure] "In use" table incorrectly reported as "view" - bug [structure] "In use" table incorrectly reported as "view"
3.2.2.1 (2009-10-12)
- [security] XSS and SQL injection, thanks to Herman van Rink
3.2.2.0 (2009-09-13) 3.2.2.0 (2009-09-13)
- bug #2825293 [structure] Default value for a BIT column - bug #2825293 [structure] Default value for a BIT column
- bug [display] Red arrows were reversed in the list of tables - bug [display] Red arrows were reversed in the list of tables

2
db_operations.php
View File

@@ -627,7 +627,7 @@ if ($cfgRelation['pdfwork'] && $num_tables > 0) { ?>
<?php <?php
while ($pages = @PMA_DBI_fetch_assoc($test_rs)) { while ($pages = @PMA_DBI_fetch_assoc($test_rs)) {
echo ' <option value="' . $pages['page_nr'] . '">' echo ' <option value="' . $pages['page_nr'] . '">'
. $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n"; . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n";
} // end while } // end while
PMA_DBI_free_result($test_rs); PMA_DBI_free_result($test_rs);
unset($test_rs); unset($test_rs);

4
db_structure.php
View File

@@ -287,7 +287,7 @@ foreach ($tables as $keyname => $each_table) {
$row_count++; $row_count++;
if ($table_is_view) { if ($table_is_view) {
$hidden_fields[] = '<input type="hidden" name="views[]" value="' . $each_table['TABLE_NAME'] . '" />'; $hidden_fields[] = '<input type="hidden" name="views[]" value="' . htmlspecialchars($each_table['TABLE_NAME']) . '" />';
} }
if ($each_table['TABLE_ROWS'] > 0) { if ($each_table['TABLE_ROWS'] > 0) {
@@ -373,7 +373,7 @@ foreach ($tables as $keyname => $each_table) {
<tr class="<?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>"> <tr class="<?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
<td align="center"> <td align="center">
<input type="checkbox" name="selected_tbl[]" <input type="checkbox" name="selected_tbl[]"
value="<?php echo $each_table['TABLE_NAME']; ?>" value="<?php echo htmlspecialchars($each_table['TABLE_NAME']); ?>"
id="checkbox_tbl_<?php echo $i; ?>"<?php echo $checked; ?> /></td> id="checkbox_tbl_<?php echo $i; ?>"<?php echo $checked; ?> /></td>
<th><label for="checkbox_tbl_<?php echo $i; ?>" <th><label for="checkbox_tbl_<?php echo $i; ?>"
title="<?php echo $alias; ?>" style="<?php echo $ignored ? ' ignored' : ''; ?>"><?php echo $truename; ?></label> title="<?php echo $alias; ?>" style="<?php echo $ignored ? ' ignored' : ''; ?>"><?php echo $truename; ?></label>

12
pdf_pages.php
View File

@@ -270,7 +270,7 @@ if ($cfgRelation['pdfwork']) {
if (isset($chpage) && $chpage == $curr_page['page_nr']) { if (isset($chpage) && $chpage == $curr_page['page_nr']) {
echo ' selected="selected"'; echo ' selected="selected"';
} }
echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>'; echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>';
} // end while } // end while
echo "\n"; echo "\n";
?> ?>
@@ -429,12 +429,12 @@ function resetDrag() {
echo "\n" . ' <td>' echo "\n" . ' <td>'
. "\n" . ' <select name="c_table_' . $i . '[name]">'; . "\n" . ' <select name="c_table_' . $i . '[name]">';
foreach ($selectboxall AS $key => $value) { foreach ($selectboxall AS $key => $value) {
echo "\n" . ' <option value="' . $value . '"'; echo "\n" . ' <option value="' . htmlspecialchars($value) . '"';
if ($value == $sh_page['table_name']) { if ($value == $sh_page['table_name']) {
echo ' selected="selected"'; echo ' selected="selected"';
$tabExist[$_mtab] = TRUE; $tabExist[$_mtab] = TRUE;
} }
echo '>' . $value . '</option>'; echo '>' . htmlspecialchars($value) . '</option>';
} // end while } // end while
echo "\n" . ' </select>' echo "\n" . ' </select>'
. "\n" . ' </td>'; . "\n" . ' </td>';
@@ -462,7 +462,7 @@ function resetDrag() {
echo "\n" . ' <td>' echo "\n" . ' <td>'
. "\n" . ' <select name="c_table_' . $i . '[name]">'; . "\n" . ' <select name="c_table_' . $i . '[name]">';
foreach ($selectboxall AS $key => $value) { foreach ($selectboxall AS $key => $value) {
echo "\n" . ' <option value="' . $value . '">' . $value . '</option>'; echo "\n" . ' <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>';
} }
echo "\n" . ' </select>' echo "\n" . ' </select>'
. "\n" . ' </td>'; . "\n" . ' </td>';
@@ -493,8 +493,8 @@ function resetDrag() {
if (!empty($tabExist) && is_array($tabExist)) { if (!empty($tabExist) && is_array($tabExist)) {
foreach ($tabExist AS $key => $value) { foreach ($tabExist AS $key => $value) {
if (!$value) { if (!$value) {
$_strtrans .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n"; $_strtrans .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n";
$_strname .= '<li>' . $key . '</li>' . "\n"; $_strname .= '<li>' . htmlspecialchars($key) . '</li>' . "\n";
$shoot = TRUE; $shoot = TRUE;
} }
} }

17
pmd_pdf.php
View File

@@ -23,10 +23,12 @@ if (isset($scale) && ! isset($createpage)) {
$pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']); $pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']);
$pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']); $pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']);
$scale_q = PMA_sqlAddslashes($scale);
$pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number);
if (isset($exp)) { if (isset($exp)) {
$sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'"; $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'";
PMA_query_as_controluser($sql,TRUE,PMA_DBI_QUERY_STORE); PMA_query_as_controluser($sql,TRUE,PMA_DBI_QUERY_STORE);
} }
@@ -34,15 +36,16 @@ if (isset($scale) && ! isset($createpage)) {
if (isset($imp)) { if (isset($imp)) {
PMA_query_as_controluser( PMA_query_as_controluser(
'UPDATE ' . $pma_table . ',' . $pmd_table . 'UPDATE ' . $pma_table . ',' . $pmd_table .
' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ', ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ',
' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.' ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '. $scale_q .'
WHERE WHERE
' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name` ' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name`
AND AND
' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name` ' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name`
AND AND
' . $pmd_table . '.`db_name`=\''.$db.'\' ' . $pmd_table . '.`db_name`=\''. PMA_sqlAddslashes($db) .'\'
AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE); } AND pdf_page_number = ' . $pdf_page_number_q . ';', TRUE, PMA_DBI_QUERY_STORE);
}
die("<script>alert('$strModifications');history.go(-2);</script>"); die("<script>alert('$strModifications');history.go(-2);</script>");
} }
@@ -79,11 +82,11 @@ require_once './libraries/header_meta_style.inc.php';
<select name="pdf_page_number"> <select name="pdf_page_number">
<?php <?php
$table_info_result = PMA_query_as_controluser('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).' $table_info_result = PMA_query_as_controluser('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).'
WHERE db_name = \''.$db.'\''); WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'');
while($page = PMA_DBI_fetch_assoc($table_info_result)) while($page = PMA_DBI_fetch_assoc($table_info_result))
{ {
?> ?>
<option value="<?php echo $page['page_nr'] ?>"><?php echo $page['page_descr'] ?></option> <option value="<?php echo $page['page_nr'] ?>"><?php echo htmlspecialchars($page['page_descr']) ?></option>
<?php <?php
} }
?> ?>