[security] Fixed possible session manipulation in swekey authenticati…

…on, see PMASA-2011-12
phpmyadmin · Jul 12, 2011 · f6f6ee3 · f6f6ee3
1 parent ab31a25
commit f6f6ee3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -10,6 +10,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7
 - [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8
+- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12
 
 3.3.10.1 (2011-05-20)
 - [security] XSS on Tracking page

diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php
@@ -143,7 +143,9 @@ function timedCheck()
         return "Internal Error: CA File $caFile not found";
 
     $result = null;
-    parse_str($_SERVER['QUERY_STRING']);
+	$swekey_id = $_GET['swekey_id'];
+	$swekey_otp = $_GET['swekey_otp'];
+
     if (isset($swekey_id)) {
         unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']);
         if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) {
@@ -166,7 +168,7 @@ function timedCheck()
                 $result = $GLOBALS['strSwekeyNoKey'];
                 if ($_SESSION['SWEKEY']['CONF_DEBUG'])
                 {
-                    $result .= "<br>".$swekey_id;
+                    $result .= "<br>" . htmlspecialchars($swekey_id);
                 }
                 unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file
              }