XSS in MSIE using NUL byte, thanks to JPCERT.

2008-09-22 10:13:32 +00:00
parent e1d1a2dfaa
commit b49d14dbc1
2 changed files with 8 additions and 0 deletions
--- a/3
+++ b/3
@@ -88,6 +88,9 @@ danbarry
 + [lang] Hungarian update, thanks to Jozsef Tamas Herczeg - dodika 
 - bug #2113848 [navi] Page number after database switching 

+2.11.9.2 (2008-09-22)
+- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
+
 2.11.9.1 (2008-09-15)
 - [security] Code execution vulnerability, thanks to Norman Hippert

--- a/libraries/js_escape.lib.php
+++ b/libraries/js_escape.lib.php
@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
 * enclosed by <![CDATA[ ... ]]>
 * this requires only to escape ' with \' and end of script block
 *
+ * We also remove NUL byte as some browsers (namely MSIE) ignore it and
+ * it and inserting it anywhere inside </script would allow to pass this
+ * check.
+ *
 * @uses    strtr()
 * @uses    preg_replace()
 * @param   string  $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
 {
    return preg_replace('@</script@i', '</\' + \'script',
                        strtr($string, array(
+                                "\000" => '',
                                '\\' => '\\\\',
                                '\'' => '\\\'',
                                "\n" => '\n',