Skip to content

Commit 395265e

Browse files
author
Marc Delisle
committed
bug #4491 [security] Missing validation for accessing User groups feature
Signed-off-by: Marc Delisle <marc@infomarc.info>
1 parent 29a1f56 commit 395265e

File tree

2 files changed

+10
-1
lines changed

2 files changed

+10
-1
lines changed

Diff for: ChangeLog

+1
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ phpMyAdmin - ChangeLog
1616
- bug #4486 [security] XSS injection due to unescaped table comment
1717
- bug #4488 [security] XSS injection due to unescaped table name (triggers)
1818
- bug #4492 [security] XSS in AJAX confirmation messages
19+
- bug #4491 [security] Missing validation for accessing User groups feature
1920

2021
4.2.5.0 (2014-06-26)
2122
- bug #4467 shell_exec() has been disabled for security reasons

Diff for: server_user_groups.php

+9-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,14 @@
2020
$scripts = $header->getScripts();
2121
$scripts->addFile('server_user_groups.js');
2222

23+
/**
24+
* Only allowed to superuser
25+
*/
26+
if (! $GLOBALS['is_superuser']) {
27+
$response->addHTML(PMA_Message::error(__('No Privileges'))->getDisplay());
28+
exit;
29+
}
30+
2331
$response->addHTML('<div>');
2432
$response->addHTML(PMA_getHtmlForSubMenusOnUsersPage('server_user_groups.php'));
2533

@@ -61,4 +69,4 @@
6169
}
6270

6371
$response->addHTML('</div>');
64-
?>
72+
?>

0 commit comments

Comments
 (0)