nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[security] XSS: Insufficient output sanitizing (not exploitable without a valid token)

Browse Source
This commit is contained in:
Herman van Rink
2009-06-30 13:19:39 +00:00
parent 2a893aba92
commit 933eb845de
3 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@@ -26,6 +26,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1601625 [display] The Ignore checkbox is not unchecked for ENUM - bug #1601625 [display] The Ignore checkbox is not unchecked for ENUM
- bug #2809930 [setup] Notice: Undefined variable: k in setup/index.php - bug #2809930 [setup] Notice: Undefined variable: k in setup/index.php
- bug [features] Incorrect report of missing relational features - bug [features] Incorrect report of missing relational features
- [security] XSS: Insufficient output sanitizing (not exploitable without a valid token)
thanks to Sven Vetsch/Disenchant for informing us in a responsible manner
3.2.0.1 (2009-06-30) 3.2.0.1 (2009-06-30)
- [security] XSS: Insufficient output sanitizing in bookmarks - [security] XSS: Insufficient output sanitizing in bookmarks

22
pdf_pages.php
View File

@@ -63,12 +63,12 @@ if ($cfgRelation['pdfwork']) {
if ($action_choose=="1") { if ($action_choose=="1") {
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) $ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
PMA_query_as_controluser($ch_query, FALSE, $query_default_option); PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) $ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages'])
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND page_nr = ' . $chpage; . ' AND page_nr = \'' . PMA_sqlAddslashes($chpage) . '\'';
PMA_query_as_controluser($ch_query, FALSE, $query_default_option); PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
unset($chpage); unset($chpage);
@@ -205,25 +205,25 @@ if ($cfgRelation['pdfwork']) {
$test_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) $test_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\'' . ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
$test_rs = PMA_query_as_controluser($test_query, FALSE, $query_default_option); $test_rs = PMA_query_as_controluser($test_query, FALSE, $query_default_option);
if ($test_rs && PMA_DBI_num_rows($test_rs) > 0) { if ($test_rs && PMA_DBI_num_rows($test_rs) > 0) {
if (isset($arrvalue['delete']) && $arrvalue['delete'] == 'y') { if (isset($arrvalue['delete']) && $arrvalue['delete'] == 'y') {
$ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) $ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\'' . ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
} else { } else {
$ch_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' $ch_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' '
. 'SET x = ' . $arrvalue['x'] . ', y= ' . $arrvalue['y'] . 'SET x = ' . $arrvalue['x'] . ', y= ' . $arrvalue['y']
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\'' . ' AND table_name = \'' . PMA_sqlAddslashes($arrvalue['name']) . '\''
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
} }
} else { } else {
$ch_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' $ch_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' '
. '(db_name, table_name, pdf_page_number, x, y) ' . '(db_name, table_name, pdf_page_number, x, y) '
. 'VALUES (\'' . PMA_sqlAddslashes($db) . '\', \'' . PMA_sqlAddslashes($arrvalue['name']) . '\',' . $chpage . ',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')'; . 'VALUES (\'' . PMA_sqlAddslashes($db) . '\', \'' . PMA_sqlAddslashes($arrvalue['name']) . '\', \'' . PMA_sqlAddslashes($chpage) . '\',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')';
} }
PMA_query_as_controluser($ch_query, FALSE, $query_default_option); PMA_query_as_controluser($ch_query, FALSE, $query_default_option);
} // end if } // end if
@@ -234,7 +234,7 @@ if ($cfgRelation['pdfwork']) {
$d_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . "\n" $d_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . "\n"
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . "\n" . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . "\n"
. ' AND table_name = \'' . PMA_sqlAddslashes($current_row) . '\'' . "\n" . ' AND table_name = \'' . PMA_sqlAddslashes($current_row) . '\'' . "\n"
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
PMA_query_as_controluser($d_query, FALSE, $query_default_option); PMA_query_as_controluser($d_query, FALSE, $query_default_option);
} }
break; break;
@@ -322,7 +322,7 @@ if ($cfgRelation['pdfwork']) {
<?php <?php
$page_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) $page_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords'])
. ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'' . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
. ' AND pdf_page_number = ' . $chpage; . ' AND pdf_page_number = \'' . PMA_sqlAddslashes($chpage) . '\'';
$page_rs = PMA_query_as_controluser($page_query, FALSE, $query_default_option); $page_rs = PMA_query_as_controluser($page_query, FALSE, $query_default_option);
$array_sh_page = array(); $array_sh_page = array();
$draginit = ''; $draginit = '';
@@ -398,7 +398,7 @@ function resetDrag() {
<form method="post" action="pdf_pages.php" name="edcoord"> <form method="post" action="pdf_pages.php" name="edcoord">
<?php echo PMA_generate_common_hidden_inputs($db, $table); ?> <?php echo PMA_generate_common_hidden_inputs($db, $table); ?>
<input type="hidden" name="chpage" value="<?php echo $chpage; ?>" /> <input type="hidden" name="chpage" value="<?php echo htmlspecialchars($chpage); ?>" />
<input type="hidden" name="do" value="edcoord" /> <input type="hidden" name="do" value="edcoord" />
<table border="0"> <table border="0">
<tr> <tr>
@@ -502,7 +502,7 @@ function resetDrag() {
echo '<form action="pdf_pages.php" method="post">' . "\n" echo '<form action="pdf_pages.php" method="post">' . "\n"
. PMA_generate_common_hidden_inputs($db, $table) . PMA_generate_common_hidden_inputs($db, $table)
. '<input type="hidden" name="do" value="deleteCrap" />' . "\n" . '<input type="hidden" name="do" value="deleteCrap" />' . "\n"
. '<input type="hidden" name="chpage" value="' . $chpage . '" />' . "\n" . '<input type="hidden" name="chpage" value="' . htmlspecialchars($chpage) . '" />' . "\n"
. $strDelOld . $strDelOld
. '<ul>' . "\n" . '<ul>' . "\n"
. $_strname . $_strname
@@ -523,7 +523,7 @@ function resetDrag() {
?> ?>
<form method="post" action="pdf_schema.php" name="pdfoptions"> <form method="post" action="pdf_schema.php" name="pdfoptions">
<?php echo PMA_generate_common_hidden_inputs($db); ?> <?php echo PMA_generate_common_hidden_inputs($db); ?>
<input type="hidden" name="pdf_page_number" value="<?php echo $chpage; ?>" /> <input type="hidden" name="pdf_page_number" value="<?php echo htmlspecialchars($chpage); ?>" />
<?php echo '<br /><strong>' . $strDisplayPDF . '</strong>'; ?>:&nbsp;<br /> <?php echo '<br /><strong>' . $strDisplayPDF . '</strong>'; ?>:&nbsp;<br />
<input type="checkbox" name="show_grid" id="show_grid_opt" /><label for="show_grid_opt"><?php echo $strShowGrid; ?></label><br /> <input type="checkbox" name="show_grid" id="show_grid_opt" /><label for="show_grid_opt"><?php echo $strShowGrid; ?></label><br />

4
server_privileges.php
View File

@@ -682,7 +682,7 @@ function PMA_displayLoginInformationFields($mode = 'new')
. $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"'
. (empty($GLOBALS['username']) . (empty($GLOBALS['username'])
? '' ? ''
: ' value="' . (isset($GLOBALS['new_username']) : ' value="' . htmlspecialchars(isset($GLOBALS['new_username'])
? $GLOBALS['new_username'] ? $GLOBALS['new_username']
: $GLOBALS['username']) . '"') : $GLOBALS['username']) . '"')
. ' onchange="pred_username.value = \'userdefined\';" />' . "\n" . ' onchange="pred_username.value = \'userdefined\';" />' . "\n"
@@ -747,7 +747,7 @@ function PMA_displayLoginInformationFields($mode = 'new')
. '</span>' . "\n" . '</span>' . "\n"
. '<input type="text" name="hostname" maxlength="' . '<input type="text" name="hostname" maxlength="'
. $hostname_length . '" value="' . $hostname_length . '" value="'
. (isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') . htmlspecialchars(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '')
. '" title="' . $GLOBALS['strHost'] . '" title="' . $GLOBALS['strHost']
. '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n" . '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n"
. PMA_showHint($GLOBALS['strHostTableExplanation']) . PMA_showHint($GLOBALS['strHostTableExplanation'])