Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

need some help to analysis PMASA-2019-5 #15651

Closed
djerrystyle opened this issue Dec 15, 2019 · 4 comments
Closed

need some help to analysis PMASA-2019-5 #15651

djerrystyle opened this issue Dec 15, 2019 · 4 comments
Assignees
Labels

Comments

@djerrystyle
Copy link

@djerrystyle djerrystyle commented Dec 15, 2019

the comit "ff541af#diff-318d13940f6a71a40c408f13d1c24512" fix "sql injection".

add html escaped in move.js and database_tables.twig , but it look like just add filter at output .
in my point, if fix sqlinject should add filter at input point,but i cannot find where is the inject point.
the commit for sure can anti xss ,but how it anti sql, can u give me some tips.

i not sure my questions is right , if any wrong, i will delete this question...
thank you!

@williamdes

This comment has been minimized.

Copy link
Member

@williamdes williamdes commented Dec 15, 2019

@djerrystyle if you are using a version before 4.7.7 you can close the issue.
You will not be vulnerable to the issue

@williamdes williamdes added the question label Dec 15, 2019
@williamdes williamdes self-assigned this Dec 15, 2019
@mauriciofauth

This comment has been minimized.

Copy link
Member

@mauriciofauth mauriciofauth commented Dec 15, 2019

Hi, @djerrystyle. Thanks for the question.
phpMyAdmin escapes the database/table names at output, because we don't want to restrict the possible names.
For example <script>alert('XSS')</script> and &lt;script&gt;alert('XSS')&lt;/script&gt; are both valid and different database/table names and we don't want to confuse the user.

@ibennetch

This comment has been minimized.

Copy link
Member

@ibennetch ibennetch commented Dec 15, 2019

I think perhaps the wording of the PMASA was a bit unclear here as well; as I recall the initial problem that William discovered was thought to be an SQL injection, but in fixing that it was discovered that the output was interpreted rather than displayed (which was more of an XSS attack) and it seems that perhaps I never updated the PMASA with those details.

@djerrystyle

This comment has been minimized.

Copy link
Author

@djerrystyle djerrystyle commented Dec 16, 2019

thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.