Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql injection in /phpmyadmin/libraries/classesCreateAddField.php #15898

Closed
MatisAct opened this issue Feb 3, 2020 · 9 comments · Fixed by #16004
Closed

sql injection in /phpmyadmin/libraries/classesCreateAddField.php #15898

MatisAct opened this issue Feb 3, 2020 · 9 comments · Fixed by #16004
Assignees
@williamdes
Labels
Bug A problem or regression with an existing feature
Projects
issues
Milestone
5.0.2

Comments

@MatisAct
Copy link

MatisAct commented Feb 3, 2020

Describe the bug

  • sql injection in /phpmyadmin/libraries/classesCreateAddField.php
  • function getTableCreationQuery() line 457
    sqli_phpmyadmin

To Reproduce

Steps to reproduce the behavior:

  1. Go to http://localhost/phpmyadmin/tbl_create.php?db=anydb
  2. Click on save
  3. sniff resquest and edit param tbl_storage_engine or tbl_collation
  4. See error

Expected behavior

https://www.slideshare.net/OWASPEEE/russia-mysql-oob-injections

Screenshots

-adding ' in param tbl_storage_engine
error_phpmyadmin

  • adding comment -- -
    not_error

Server configuration

  • Operating system:windows 10
  • Web server:localhost TCP/ IP
  • Database version:10.4.8-MariaDB
  • PHP version:PHP Version 7.3.10
  • phpMyAdmin version:5.0.1

Client configuration

  • Browser:firefox
  • Operating system:windows 10
@ibennetch
Copy link
Member

ibennetch commented Feb 3, 2020 via email

@bismitaguha
Copy link
Contributor

Can I work on this issue? @ibennetch

@ibennetch
Copy link
Member

ibennetch commented Feb 4, 2020 via email
edited

@MatisAct
Copy link
Author

MatisAct commented Feb 5, 2020

sorry about the issues,i don't know about it. How i can contact security team? contact email "security@phpmyadmin.net"?

@ibennetch
Copy link
Member

Yes, that's correct; we prefer to use that email address for security matters.

Thank you for your report; we'll keep you posted either here or through email regarding any release that will fix this. Best wishes.

@williamdes williamdes added the Bug A problem or regression with an existing feature label Feb 22, 2020
@williamdes williamdes added this to the 5.0.2 milestone Feb 22, 2020
@williamdes williamdes added this to Needs triage in issues via automation Feb 22, 2020
@williamdes williamdes moved this from Needs triage to High priority in issues Feb 22, 2020
@williamdes
Copy link
Member

method getPartitionsDefinition is affected

williamdes added a commit to williamdes/phpmyadmintest that referenced this issue Feb 28, 2020
@williamdes
Add test case for phpmyadmin#15898
f6af795 
Depends on 20e3d2f

Signed-off-by: William Desportes <williamdes@wdes.fr>
@williamdes williamdes mentioned this issue Feb 28, 2020
Merged
@williamdes
Copy link
Member

I made a proposal in #16004

williamdes added a commit to williamdes/phpmyadmintest that referenced this issue Mar 19, 2020
@williamdes
Merge phpmyadmin#16004 - Fix phpmyadmin#15898 - escape tbl_storage_en…
e1f5dfc 
…gine argument

Pull-request: phpmyadmin#16004
Fixes: phpmyadmin#15898
Security: ca42395
Ref: phpmyadmin#16004
Ref: phpmyadmin#15898
For now I do not have a CVE code for this one.
Signed-off-by: William Desportes <williamdes@wdes.fr>
williamdes added a commit to williamdes/phpmyadmintest that referenced this issue Mar 19, 2020
@williamdes
Add ChangeLog entry for phpmyadmin#15898
bc98246 
Ref: e1f5dfc
Signed-off-by: William Desportes <williamdes@wdes.fr>
@williamdes
Copy link
Member

Merge: abcf875
ChangeLog: bc98246
Security fix: ca42395

@williamdes williamdes self-assigned this Mar 19, 2020
@williamdes williamdes linked a pull request Mar 19, 2020 that will close this issue
Fix #15898 - escape tbl_storage_engine argument #16004
Merged
issues automation moved this from High priority to Closed Mar 19, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 20, 2021
@williamdes
Copy link
Member

williamdes commented Feb 8, 2023
edited

@ibennetch did you know we had a CVE for this one ?
https://www.cve.org/CVERecord?id=CVE-2020-22452

CVE-2020-22452

Introduced by 4d98851
All versions before 4.8.4 and after 4.1.0 are vulnerable since it was $_REQUEST: d6e04ca

izsob pushed a commit to izsob/phpmyadmin that referenced this issue Mar 13, 2023
@williamdes @izsob
Fix phpmyadmin#15898 - escape tbl_storage_engine argument
94e3550 
Signed-off-by: William Desportes <williamdes@wdes.fr>
(cherry picked from commit ca42395)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@williamdes williamdes

Labels
Bug A problem or regression with an existing feature
Projects
issues
  
Closed
Milestone
5.0.2
Development

Successfully merging a pull request may close this issue.

Fix #15898 - escape tbl_storage_engine argument williamdes/phpmyadmintest
4 participants
@ibennetch @williamdes @MatisAct @bismitaguha