From cb9edac1bcb50d68b9790434fe8cfd0ecc363d70 Mon Sep 17 00:00:00 2001 From: Sajeeb Asim Lohani Date: Thu, 15 Jun 2017 16:01:11 +1000 Subject: [PATCH 1/3] XSS Sanitisation Patch Added in HTML Encoding for all echo statements. This should take care of any XSS issues that are within the software. --- phpminiadmin.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/phpminiadmin.php b/phpminiadmin.php index 5fb0c75..9c307ff 100644 --- a/phpminiadmin.php +++ b/phpminiadmin.php @@ -422,7 +422,7 @@ function cfg_toggle(){ e.style.display=e.style.display=='none'?'':'none'; } function qtpl(s){ - $('qraw').value=s.replace(/%T/g,'``'); + $('qraw').value=s.replace(/%T/g,'``'); } function smview(){ if($('is_sm').checked){$('res').className+=' sm'}else{$('res').className = $('res').className.replace(/\bsm\b/,' ')} @@ -452,11 +452,11 @@ function sht(f){ phpMiniAdmin | ">Databases: + -'>show tables -&shex=1'>export -&shim=1'>import +'>show tables +&shex=1'>export +&shim=1'>import | Settings @@ -500,7 +500,7 @@ function print_screen(){ Records: in sec
- +

-
+

@@ -958,7 +958,7 @@ function ex_w($s){ if ($ex_issrv){ fwrite($ex_f,$s); }else{ - echo $s; + echo htmlentities($s, ENT_QUOTES); } } } @@ -999,13 +999,13 @@ function print_import(){ .csv file (Excel style):
first row contain field names
(note: for success, field names should be exactly the same as in DB)
-Character set of the file: +Character set of the file:

Import into:
existing table:
replace existing DB data
From 621b7ea307225c61e14c3e44ffb2aa40f054d22a Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 4 Jul 2017 19:05:01 +1000 Subject: [PATCH 2/3] Fixed up the XSS patch. There is a single case where it doesnt seem to work, but that is if the table or the database contacts special character (like <> ). I feel that it shouldn't be a problem as the most likely users of such characters are probably people trying to exploit that application. --- phpminiadmin.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/phpminiadmin.php b/phpminiadmin.php index 9c307ff..ff00fd3 100644 --- a/phpminiadmin.php +++ b/phpminiadmin.php @@ -206,7 +206,7 @@ function display_select($sth,$q){ for($i=0;$i<$fields_num;$i++){ if ($is_sht && $i>0) break; $meta=mysqli_fetch_field($sth); - $headers.="
".$meta->name."
"; + $headers.="
".htmlentities($meta->name, ENT_QUOTES)."
"; } if ($is_shd) $headers.="show create databaseshow table statusshow triggers"; if ($is_sht) $headers.="engine~rowsdata sizeindex sizeshow create tableexplainindexesexportdroptruncateoptimizerepaircomment"; @@ -215,7 +215,7 @@ function display_select($sth,$q){ $swapper=false; while($row=mysqli_fetch_row($sth)){ $sqldr.=""; - $v=$row[0]; + $v=htmlentities($row[0], ENT_QUOTES); if ($is_sht){ $vq='`'.$v.'`'; $url='?'.$xurl."&db=$dbn&t=".b64e($v); @@ -452,11 +452,11 @@ function sht(f){ phpMiniAdmin | ">Databases: - -'>show tables -&shex=1'>export -&shim=1'>import + + +'>show tables +&shex=1'>export +&shim=1'>import | Settings @@ -500,7 +500,7 @@ function print_screen(){ Records: in sec
- + $b"; + $res.=""; } return $res; } @@ -999,7 +999,7 @@ function print_import(){ .csv file (Excel style):
first row contain field names
(note: for success, field names should be exactly the same as in DB)
-Character set of the file: +Character set of the file:

Import into:
existing table: From fc7332c34e00a5a306023dedaba116d22d4d46e7 Mon Sep 17 00:00:00 2001 From: unknown Date: Mon, 10 Jul 2017 11:46:00 +1000 Subject: [PATCH 3/3] Changed all htmlentities to now use hs or eo. Fixed spaces issue. --- phpminiadmin.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/phpminiadmin.php b/phpminiadmin.php index ff00fd3..58ac789 100644 --- a/phpminiadmin.php +++ b/phpminiadmin.php @@ -206,7 +206,7 @@ function display_select($sth,$q){ for($i=0;$i<$fields_num;$i++){ if ($is_sht && $i>0) break; $meta=mysqli_fetch_field($sth); - $headers.="
".htmlentities($meta->name, ENT_QUOTES)."
"; + $headers.="
".hs($meta->name)."
"; } if ($is_shd) $headers.="show create databaseshow table statusshow triggers"; if ($is_sht) $headers.="engine~rowsdata sizeindex sizeshow create tableexplainindexesexportdroptruncateoptimizerepaircomment"; @@ -215,7 +215,7 @@ function display_select($sth,$q){ $swapper=false; while($row=mysqli_fetch_row($sth)){ $sqldr.=""; - $v=htmlentities($row[0], ENT_QUOTES); + $v=hs($row[0]); if ($is_sht){ $vq='`'.$v.'`'; $url='?'.$xurl."&db=$dbn&t=".b64e($v); @@ -422,7 +422,7 @@ function cfg_toggle(){ e.style.display=e.style.display=='none'?'':'none'; } function qtpl(s){ - $('qraw').value=s.replace(/%T/g,'``'); + $('qraw').value=s.replace(/%T/g,'``'); } function smview(){ if($('is_sm').checked){$('res').className+=' sm'}else{$('res').className = $('res').className.replace(/\bsm\b/,' ')} @@ -453,7 +453,7 @@ function sht(f){ | ">Databases: - + '>show tables &shex=1'>export &shim=1'>import @@ -542,7 +542,7 @@ function print_cfg(){
@@ -674,7 +674,7 @@ function sel($arr,$n,$sel=''){ foreach($arr as $a){ # echo $a[0]; $b=$a[$n]; - $res.=""; + $res.=""; } return $res; } @@ -958,7 +958,7 @@ function ex_w($s){ if ($ex_issrv){ fwrite($ex_f,$s); }else{ - echo htmlentities($s, ENT_QUOTES); + eo($s); } } } @@ -1005,7 +1005,7 @@ function print_import(){ existing table:
replace existing DB data