diff --git a/ChangeLog b/ChangeLog index 976141ef7..5dec0549b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,11 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug [history] Do not save too big queries in history - [security] Do not show version info on login screen +2.11.7.1 (2008-07-15) +- bug [security] XSRF/CSRF by manipulating the db, + convcharset and collation_connection parameters, + thanks to YGN Ethical Hacker Group + 2.11.7.0 (2008-06-23) - bug #1908719 [interface] New field cannot be auto-increment and primary key - [dbi] Incorrect interpretation for some mysqli field flags @@ -212,7 +217,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group 2.11.1.0 (2007-09-20) - - bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version - bug #1780098 [GUI] Logout causes CSS loss, thanks to Juergen Wind . incorrect field ids, thanks to Michael Keck @@ -231,7 +235,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1798627 [GUI] Wrong storage engine displayed 2.11.0.0 (2007-08-21) - + [import] support handling of DELIMITER to mimic mysql CLI, thanks to fb1 + improved PHP 6 compatibility - bug #1674914 [structure] changing definition of a TIMESTAMP field @@ -330,7 +333,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1771721 Old SVN URLs 2.10.3.0 (2007-07-20) - - bug #1734285 Copy database with VIEWs - bug #1722502 DROP TABLE in export VIEW - bug #1729027 Sorting results of VIEW browsing @@ -344,7 +346,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - Do not try to delete an internal relation if we just deleted an InnoDB one 2.10.2.0 (2007-06-15) - + [data] display all warnings, not only last one - typo in fix for bug #1671813 - bug #1714908 Inserted Row Count is wrong @@ -367,8 +368,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - patch #1731280 Avoid negative exponent in gmp_pow(), thanks to anosek 2.10.1.0 (2007-04-23) -===================== - - bug #1541147 [js] '#' in database names not correctly handled by queywindow.js - bug #1671403 [parser] using "client" as table name - bug #1672379 [core] Call to undefined function PMA_removeCookie() @@ -401,19 +400,13 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason 2.10.0.2 (2007-03-02) -===================== - + bug #1671813 CVE-2006-1549 deep recursion crash 2.10.0.1 (2007-03-01) -===================== - . [config] set $cfg['Servers'][$i]['ssl'] default value to false, we got reports from some users having problems with the default value of true 2.10.0.0 (2007-02-28) -===================== - - bug #1659176 [general] memory error displaying a table with large BLOBs - bug #1668662 [install] can create the new pma_designer_coords table + [gui] navi logo now links to main page by default, with still the possibility diff --git a/Documentation.html b/Documentation.html index 87417b633..60a7f0df7 100644 --- a/Documentation.html +++ b/Documentation.html @@ -2750,7 +2750,8 @@ SetInputFilter PHP 1.34 Can I access directly to database or table pages?

Yes. Out of the box, you can use URLs like - http://server/phpMyAdmin/index.php?db=database&table=table&target=script. +http://server/phpMyAdmin/index.php?server=X&db=database&table=table&target=script. For server you use the server number which refers to +the order of the server paragraph in config.inc.php. Table and script parts are optional. If you want http://server/phpMyAdmin/database[/table][/script] URLs, you need to do some configuration. Following lines apply only for = 40101) { list($db_charset) = explode('_', $db_collation); if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) { @@ -42,7 +42,8 @@ if (! $result) { require_once './libraries/header.inc.php'; require_once './main.php'; } else { - $message = $strDatabase . ' ' . htmlspecialchars($db) . ' ' . $strHasBeenCreated; + $message = $strDatabase . ' ' . htmlspecialchars($new_db) . ' ' . $strHasBeenCreated; + $GLOBALS['db'] = $new_db; require_once './libraries/header.inc.php'; require_once './' . $cfg['DefaultTabDatabase']; } diff --git a/index.php b/index.php index c3815bf47..c917b3bc6 100644 --- a/index.php +++ b/index.php @@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']); var server = ''; var table = ''; var db = ''; + var token = ''; var text_dir = ''; var pma_absolute_uri = ''; diff --git a/js/querywindow.js b/js/querywindow.js index a07d16794..e089d75c8 100644 --- a/js/querywindow.js +++ b/js/querywindow.js @@ -75,6 +75,7 @@ function setTable(new_table) { * * @uses goTo() * @uses opendb_url + * @uses token * @uses db * @uses server * @uses table @@ -92,6 +93,7 @@ function refreshMain(url) { } } goTo(url + '?server=' + encodeURIComponent(server) + + '&token=' + encodeURIComponent(token) + '&db=' + encodeURIComponent(db) + '&table=' + encodeURIComponent(table) + '&lang=' + encodeURIComponent(lang) + @@ -103,6 +105,7 @@ function refreshMain(url) { * reloads navigation frame * * @uses goTo() + * @uses token * @uses db * @uses server * @uses table @@ -112,6 +115,7 @@ function refreshMain(url) { */ function refreshNavigation() { goTo('navigation.php?server=' + encodeURIComponent(server) + + '&token=' + encodeURIComponent(token) + '&db=' + encodeURIComponent(db) + '&table=' + encodeURIComponent(table) + '&lang=' + encodeURIComponent(lang) + @@ -185,8 +189,8 @@ function markDbTable(db, table) /** * sets current selected server, table and db (called from libraries/footer.inc.php) */ -function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) { - //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )'); +function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) { + //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )'); if (new_server != server || new_lang != lang || new_collation_connection != collation_connection) { // something important has changed @@ -195,6 +199,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab table = new_table; collation_connection = new_collation_connection; lang = new_lang; + token = new_token; refreshNavigation(); } else if (new_db != db || new_table != table) { // save new db and table diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 7bf04a032..9988a4bd7 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -398,7 +398,10 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST[' * List of parameters which are allowed from unsafe source */ $allow_list = array( - 'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target', + /* needed for direct access, see FAQ 1.34 + * also, server needed for cookie login screen (multi-server) + */ + 'server', 'db', 'table', 'target', /* Session ID */ 'phpMyAdmin', /* Cookie preferences */ diff --git a/libraries/display_create_database.lib.php b/libraries/display_create_database.lib.php index b5b5ba485..fcccecbbb 100644 --- a/libraries/display_create_database.lib.php +++ b/libraries/display_create_database.lib.php @@ -21,7 +21,7 @@ if ($is_create_db_priv) { ' . $strCreateNewDatabase . ' ' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?>
- + = 40101) { require_once './libraries/mysql_charsets.lib.php'; diff --git a/libraries/footer.inc.php b/libraries/footer.inc.php index e02c69ac6..81b090f06 100644 --- a/libraries/footer.inc.php +++ b/libraries/footer.inc.php @@ -74,7 +74,8 @@ if (window.parent.setAll) { echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '"; echo PMA_escapeJsString($GLOBALS['server']) . "', '"; echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '"; - echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>'); + echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '"; + echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>'); }