[security] XSS: Insufficient output sanitizing (not exploitable without a valid token)
This commit is contained in:
Herman van Rink
@@ -26,6 +26,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
|
||||
- bug #1601625 [display] The Ignore checkbox is not unchecked for ENUM
|
||||
- bug #2809930 [setup] Notice: Undefined variable: k in setup/index.php
|
||||
- bug [features] Incorrect report of missing relational features
|
||||
- [security] XSS: Insufficient output sanitizing (not exploitable without a valid token)
|
||||
thanks to Sven Vetsch/Disenchant for informing us in a responsible manner
|
||||
|
||||
3.2.0.1 (2009-06-30)
|
||||
- [security] XSS: Insufficient output sanitizing in bookmarks
|
||||
|
||||
@@ -63,12 +63,12 @@ if ($cfgRelation['pdfwork']) {
|
||||
if ($action_choose=="1") {
|
||||
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
|
||||
|
||||
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages'])
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND page_nr = ' . $chpage;
|
||||
. ' AND page_nr = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
|
||||
|
||||
unset($chpage);
|
||||
@@ -205,25 +205,25 @@ if ($cfgRelation['pdfwork']) {
|
||||
$test_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
$test_rs = PMA_query_as_controluser($test_query, FALSE, $query_default_option);
|
||||
if ($test_rs && PMA_DBI_num_rows($test_rs) > 0) {
|
||||
if (isset($arrvalue['delete']) && $arrvalue['delete'] == 'y') {
|
||||
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
} else {
|
||||
$ch_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' '
|
||||
. 'SET x = ' . $arrvalue['x'] . ', y= ' . $arrvalue['y']
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
}
|
||||
} else {
|
||||
$ch_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' '
|
||||
. '(db_name, table_name, pdf_page_number, x, y) '
|
||||
. 'VALUES (\'' . PMA_sqlAddslashes($db) . '\', \'' . PMA_sqlAddslashes($arrvalue['name']) . '\',' . $chpage . ',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')';
|
||||
. 'VALUES (\'' . PMA_sqlAddslashes($db) . '\', \'' . PMA_sqlAddslashes($arrvalue['name']) . '\', \'' . PMA_sqlAddslashes($chpage) . '\',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')';
|
||||
}
|
||||
PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
|
||||
} // end if
|
||||
@@ -234,7 +234,7 @@ if ($cfgRelation['pdfwork']) {
|
||||
$d_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . "\n"
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . "\n"
|
||||
. ' AND table_name = \'' . PMA_sqlAddslashes($current_row) . '\'' . "\n"
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
PMA_query_as_controluser($d_query, FALSE, $query_default_option);
|
||||
}
|
||||
break;
|
||||
@@ -322,7 +322,7 @@ if ($cfgRelation['pdfwork']) {
|
||||
<?php
|
||||
$page_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
|
||||
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
|
||||
. ' AND pdf_page_number = ' . $chpage;
|
||||
. ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
|
||||
$page_rs = PMA_query_as_controluser($page_query, FALSE, $query_default_option);
|
||||
$array_sh_page = array();
|
||||
$draginit = '';
|
||||
@@ -398,7 +398,7 @@ function resetDrag() {
|
||||
|
||||
<form method="post" action="pdf_pages.php" name="edcoord">
|
||||
<?php echo PMA_generate_common_hidden_inputs($db, $table); ?>
|
||||
<input type="hidden" name="chpage" value="<?php echo $chpage; ?>" />
|
||||
<input type="hidden" name="chpage" value="<?php echo htmlspecialchars($chpage); ?>" />
|
||||
<input type="hidden" name="do" value="edcoord" />
|
||||
<table border="0">
|
||||
<tr>
|
||||
@@ -502,7 +502,7 @@ function resetDrag() {
|
||||
echo '<form action="pdf_pages.php" method="post">' . "\n"
|
||||
. PMA_generate_common_hidden_inputs($db, $table)
|
||||
. '<input type="hidden" name="do" value="deleteCrap" />' . "\n"
|
||||
. '<input type="hidden" name="chpage" value="' . $chpage . '" />' . "\n"
|
||||
. '<input type="hidden" name="chpage" value="' . htmlspecialchars($chpage) . '" />' . "\n"
|
||||
. $strDelOld
|
||||
. '<ul>' . "\n"
|
||||
. $_strname
|
||||
@@ -523,7 +523,7 @@ function resetDrag() {
|
||||
?>
|
||||
<form method="post" action="pdf_schema.php" name="pdfoptions">
|
||||
<?php echo PMA_generate_common_hidden_inputs($db); ?>
|
||||
<input type="hidden" name="pdf_page_number" value="<?php echo $chpage; ?>" />
|
||||
<input type="hidden" name="pdf_page_number" value="<?php echo htmlspecialchars($chpage); ?>" />
|
||||
|
||||
<?php echo '<br /><strong>' . $strDisplayPDF . '</strong>'; ?>: <br />
|
||||
<input type="checkbox" name="show_grid" id="show_grid_opt" /><label for="show_grid_opt"><?php echo $strShowGrid; ?></label><br />
|
||||
|
||||
@@ -682,7 +682,7 @@ function PMA_displayLoginInformationFields($mode = 'new')
|
||||
. $username_length . '" title="' . $GLOBALS['strUserName'] . '"'
|
||||
. (empty($GLOBALS['username'])
|
||||
? ''
|
||||
: ' value="' . (isset($GLOBALS['new_username'])
|
||||
: ' value="' . htmlspecialchars(isset($GLOBALS['new_username'])
|
||||
? $GLOBALS['new_username']
|
||||
: $GLOBALS['username']) . '"')
|
||||
. ' onchange="pred_username.value = \'userdefined\';" />' . "\n"
|
||||
@@ -747,7 +747,7 @@ function PMA_displayLoginInformationFields($mode = 'new')
|
||||
. '</span>' . "\n"
|
||||
. '<input type="text" name="hostname" maxlength="'
|
||||
. $hostname_length . '" value="'
|
||||
. (isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '')
|
||||
. htmlspecialchars(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '')
|
||||
. '" title="' . $GLOBALS['strHost']
|
||||
. '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n"
|
||||
. PMA_showHint($GLOBALS['strHostTableExplanation'])
|
||||
|
||||
Reference in New Issue
Block a user