Re: [ppa-dev] exploit was a false alarm - go code quality!

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

FYI. This fellow submitted a false alarm to the phpLDAPadmin list as well.

--Dave

<quote who="Christopher Kings-Lynne">
> Hi Chris,
>      Thanks for the reply! Sorry, false alarm. My fault. Sorry again!
>
> Best,
> Wayne
>
>
>
>  >> I don't understand how you can possibly inject JavaScript or HTML in
>  >> this case, since the $misc->printVal() function will run
>  >> htmlspecialchars() over the $_REQUEST['database'] variable.
>  >>
>  >> This means that any JavaScript you try putting in that variable will
> be
>  >> escaped and never execute.
>  >>
>  >> Also, how can an attacker set the value of $_REQUEST['database']?
>  >>
>  >> Also, how could you steal someone's cookie with it?
>  >>
>  >> Regards,
>  >>
>  >> Chris
>  >>
>  >>
>  >
>  >>> > -------- Original Message --------
>  >>> > Subject: Regarding vulnerabilities found in PhpPgAdmin
>  >>> > Date: Tue, 28 Oct 2003 09:56:54 -0800
>  >>> > From: Yao-Wen (Wayne) Huang <yw...@op...>
>  >>> > Reply-To: Yao-Wen (Wayne) Huang <yw...@op...>
>  >>> > Organization: National Taiwan University
>  >>> > To: <brt...@us...>,
> <ch...@us...>,
>  >>> > <kil...@us...>, <sl...@us...>,
>  >>> > <so...@us...>, <xz...@us...>
>  >>> > CC: Yao-Wen (Wayne) Huang <yw...@op...>,
>
> <wa...@ya...>
>
>  >>> >
>  >>> > Dear Sir,
>  >>> > We have found that the following lines of code from PhpPgAdmin are
>  >>> > vulnerable to script injection. We have listed them below. If
> you'd like
>  >>> > more detailed information, please feel welcome to e-mail me. More
>  >>> > importantly, if you intend to patch this vulnerability in the
> future,
>  >>> > please
>  >>> > also reply and let me know. Thanks a lot!
>  >>> >
>  >>> > Best regards,
>  >>> > Yao-Wen (Wayne) Huang
>  >>> > Research assistant, Institute of Information Science, Academia
> Sinica,
>  >>> > Taiwan
>  >>> > Ph.D. candidate, Department of Electrical Engineering, National
> Taiwan
>  >>> > University
>  >>> >
>  >>> > File: phpPgAdmin\constraints.php
>  >>> > Line: 38, variable: _REQUEST['database']
>  >>> >
>  >>> >
>  >>> >    echo "<h2>", $misc->printVal($_REQUEST['database']), ":
>  >>> > {$lang['strtables']}: ",
>  >>> >     $misc->printVal($_REQUEST['table']), ":
> {$lang['straddfk']}</h2>\n";
>  >>> >    $misc->printMsg($msg);
>  >>> >
>  >>> >
>  >>> > Short description:
>  >>> > Since _REQUEST['database'] came directly from HTTP requests, it
> can not
>
> be
>
>  >>> > used directly to construct HTML output. Therefore the code is
> vulnerable
>
> to
>
>  >>> > Cross-Site Scripting, which allows an attacker to inject
> javascript code
>  >>> > into a HTML page. Since the HTML page is delivered on behalf of the
>
> server,
>
>  >>> > the "same origin policy" is violated. This allows an attacker to
> steal
>  >>> > cookies from the victim.
>  >>> >
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> phpPgAdmin-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phppgadmin-devel
>

Dave Smith
--------------
  :wq == :-)
--------------