From f6f6ee3f1171addb166fa18e75a0b56599bf374c Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Sat, 9 Jul 2011 23:10:23 +0200 Subject: [PATCH] [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 --- ChangeLog | 1 + libraries/auth/swekey/swekey.auth.lib.php | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3816fdcb7..fab5ae813 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7 - [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 3.3.10.1 (2011-05-20) - [security] XSS on Tracking page diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index 2a790c4d5..bf6f4c879 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -143,7 +143,9 @@ function Swekey_auth_error() return "Internal Error: CA File $caFile not found"; $result = null; - parse_str($_SERVER['QUERY_STRING']); + $swekey_id = $_GET['swekey_id']; + $swekey_otp = $_GET['swekey_otp']; + if (isset($swekey_id)) { unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { @@ -166,7 +168,7 @@ function Swekey_auth_error() $result = $GLOBALS['strSwekeyNoKey']; if ($_SESSION['SWEKEY']['CONF_DEBUG']) { - $result .= "
".$swekey_id; + $result .= "
" . htmlspecialchars($swekey_id); } unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file }