security fix (XSRF) -- will do other branches later

ChangeLog

@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
 
+2.11.7.1 ()
+- bug #1908719 [security] XSRF/CSRF by manipulating the db,
+  convcharset and collation_connection parameters,
+  thanks to YGN Ethical Hacker Group
+
 2.11.7.0 (2008-06-23)
 - bug #1908719 [interface] New field cannot be auto-increment and primary key 
 - [dbi] Incorrect interpretation for some mysqli field flags 

db_create.php

@@ -12,7 +12,7 @@
 $js_to_run = 'functions.js';
 require_once './libraries/mysql_charsets.lib.php';
 
-PMA_checkParameters(array('db'));
+PMA_checkParameters(array('new_db'));
 
 /**
  * Defines the url to return to in case of error in a sql statement
@@ -22,7 +22,7 @@
 /**
  * Builds and executes the db creation sql query
  */
-$sql_query = 'CREATE DATABASE ' . PMA_backquote($db);
+$sql_query = 'CREATE DATABASE ' . PMA_backquote($new_db);
 if (!empty($db_collation) && PMA_MYSQL_INT_VERSION >= 40101) {
     list($db_charset) = explode('_', $db_collation);
     if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
@@ -42,7 +42,8 @@
     require_once './libraries/header.inc.php';
     require_once './main.php';
 } else {
-    $message = $strDatabase . ' ' . htmlspecialchars($db) . ' ' . $strHasBeenCreated;
+    $message = $strDatabase . ' ' . htmlspecialchars($new_db) . ' ' . $strHasBeenCreated;
+    $GLOBALS['db'] = $new_db;
     require_once './libraries/header.inc.php';
     require_once './' . $cfg['DefaultTabDatabase'];
 }

index.php

@@ -124,6 +124,7 @@
     var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
     var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
     var db    = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
+    var token = '<?php echo PMA_escapeJsString($_SESSION[' PMA_token ']); ?>';
     var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
     var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
 

js/querywindow.js

@@ -75,6 +75,7 @@ function setTable(new_table) {
  *
  * @uses 	goTo()
  * @uses 	opendb_url
+ * @uses 	token
  * @uses 	db
  * @uses 	server
  * @uses 	table
@@ -92,6 +93,7 @@ function refreshMain(url) {
         }
     }
     goTo(url + '?server=' + encodeURIComponent(server) +
+        '&token=' + encodeURIComponent(token) +
         '&db=' + encodeURIComponent(db) +
         '&table=' + encodeURIComponent(table) +
         '&lang=' + encodeURIComponent(lang) +
@@ -103,6 +105,7 @@ function refreshMain(url) {
  * reloads navigation frame
  *
  * @uses 	goTo()
+ * @uses 	token
  * @uses 	db
  * @uses 	server
  * @uses 	table
@@ -112,6 +115,7 @@ function refreshMain(url) {
  */
 function refreshNavigation() {
     goTo('navigation.php?server=' + encodeURIComponent(server) +
+        '&token=' + encodeURIComponent(token)  +
         '&db=' + encodeURIComponent(db)  +
         '&table=' + encodeURIComponent(table) +
         '&lang=' + encodeURIComponent(lang) +
@@ -185,8 +189,8 @@ function markDbTable(db, table)
 /**
  * sets current selected server, table and db (called from libraries/footer.inc.php)
  */
-function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) {
-    //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )');
+function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) {
+    //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )');
     if (new_server != server || new_lang != lang
       || new_collation_connection != collation_connection) {
         // something important has changed
@@ -195,6 +199,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab
         table  = new_table;
         collation_connection  = new_collation_connection;
         lang  = new_lang;
+        token  = new_token;
         refreshNavigation();
     } else if (new_db != db || new_table != table) {
         // save new db and table

libraries/common.inc.php

@@ -398,7 +398,8 @@
      *  List of parameters which are allowed from unsafe source
      */
     $allow_list = array(
-        'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target',
+        /* needed for direct access, see FAQ 1.34 */
+        'db', 'table', 'target',
         /* Session ID */
         'phpMyAdmin',
         /* Cookie preferences */

libraries/display_create_database.lib.php

@@ -21,7 +21,7 @@
             <?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label>&nbsp;' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></b><br />
             <?php echo PMA_generate_common_hidden_inputs('', '', 5); ?>
             <input type="hidden" name="reload" value="1" />
-            <input type="text" name="db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
+            <input type="text" name="new_db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
             <?php
     if (PMA_MYSQL_INT_VERSION >= 40101) {
         require_once './libraries/mysql_charsets.lib.php';

libraries/footer.inc.php

@@ -74,7 +74,8 @@
         echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
         echo PMA_escapeJsString($GLOBALS['server']) . "', '";
         echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
-        echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>');
+        echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '";
+        echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>');
 }
     <?php
     if (! empty($GLOBALS['reload'])) {