Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

need some help to analysis PMASA-2019-5 #15651

Closed
djerryz opened this issue Dec 15, 2019 · 4 comments
Closed

need some help to analysis PMASA-2019-5 #15651

djerryz opened this issue Dec 15, 2019 · 4 comments
Assignees
@williamdes
Labels
question Used when we need feedback from the submitter or when the issue is a question about PMA

Comments

@djerryz
Copy link

djerryz commented Dec 15, 2019

the comit "ff541af#diff-318d13940f6a71a40c408f13d1c24512" fix "sql injection".

add html escaped in move.js and database_tables.twig , but it look like just add filter at output .
in my point, if fix sqlinject should add filter at input point,but i cannot find where is the inject point.
the commit for sure can anti xss ,but how it anti sql, can u give me some tips.

i not sure my questions is right , if any wrong, i will delete this question...
thank you!
@williamdes
Copy link
Member

@djerrystyle if you are using a version before 4.7.7 you can close the issue.
You will not be vulnerable to the issue

@williamdes williamdes added the question Used when we need feedback from the submitter or when the issue is a question about PMA label Dec 15, 2019
@williamdes williamdes self-assigned this Dec 15, 2019
@MauricioFauth
Copy link
Member

Hi, @djerrystyle. Thanks for the question.
phpMyAdmin escapes the database/table names at output, because we don't want to restrict the possible names.
For example <script>alert('XSS')</script> and &lt;script&gt;alert('XSS')&lt;/script&gt; are both valid and different database/table names and we don't want to confuse the user.

@ibennetch
Copy link
Member

I think perhaps the wording of the PMASA was a bit unclear here as well; as I recall the initial problem that William discovered was thought to be an SQL injection, but in fixing that it was discovered that the output was interpreted rather than displayed (which was more of an XSS attack) and it seems that perhaps I never updated the PMASA with those details.

@djerryz
Copy link
Author

djerryz commented Dec 16, 2019

thank you!

@djerryz djerryz closed this as completed Dec 16, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@williamdes williamdes

Labels
question Used when we need feedback from the submitter or when the issue is a question about PMA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MauricioFauth @ibennetch @williamdes @djerryz