From: David S. <Dav...@by...> - 2003-10-29 15:47:28
|
FYI. This fellow submitted a false alarm to the phpLDAPadmin list as well. --Dave <quote who="Christopher Kings-Lynne"> > Hi Chris, > Thanks for the reply! Sorry, false alarm. My fault. Sorry again! > > Best, > Wayne > > > > >> I don't understand how you can possibly inject JavaScript or HTML in > >> this case, since the $misc->printVal() function will run > >> htmlspecialchars() over the $_REQUEST['database'] variable. > >> > >> This means that any JavaScript you try putting in that variable will > be > >> escaped and never execute. > >> > >> Also, how can an attacker set the value of $_REQUEST['database']? > >> > >> Also, how could you steal someone's cookie with it? > >> > >> Regards, > >> > >> Chris > >> > >> > > > >>> > -------- Original Message -------- > >>> > Subject: Regarding vulnerabilities found in PhpPgAdmin > >>> > Date: Tue, 28 Oct 2003 09:56:54 -0800 > >>> > From: Yao-Wen (Wayne) Huang <yw...@op...> > >>> > Reply-To: Yao-Wen (Wayne) Huang <yw...@op...> > >>> > Organization: National Taiwan University > >>> > To: <brt...@us...>, > <ch...@us...>, > >>> > <kil...@us...>, <sl...@us...>, > >>> > <so...@us...>, <xz...@us...> > >>> > CC: Yao-Wen (Wayne) Huang <yw...@op...>, > > <wa...@ya...> > > >>> > > >>> > Dear Sir, > >>> > We have found that the following lines of code from PhpPgAdmin are > >>> > vulnerable to script injection. We have listed them below. If > you'd like > >>> > more detailed information, please feel welcome to e-mail me. More > >>> > importantly, if you intend to patch this vulnerability in the > future, > >>> > please > >>> > also reply and let me know. Thanks a lot! > >>> > > >>> > Best regards, > >>> > Yao-Wen (Wayne) Huang > >>> > Research assistant, Institute of Information Science, Academia > Sinica, > >>> > Taiwan > >>> > Ph.D. candidate, Department of Electrical Engineering, National > Taiwan > >>> > University > >>> > > >>> > File: phpPgAdmin\constraints.php > >>> > Line: 38, variable: _REQUEST['database'] > >>> > > >>> > > >>> > echo "<h2>", $misc->printVal($_REQUEST['database']), ": > >>> > {$lang['strtables']}: ", > >>> > $misc->printVal($_REQUEST['table']), ": > {$lang['straddfk']}</h2>\n"; > >>> > $misc->printMsg($msg); > >>> > > >>> > > >>> > Short description: > >>> > Since _REQUEST['database'] came directly from HTTP requests, it > can not > > be > > >>> > used directly to construct HTML output. Therefore the code is > vulnerable > > to > > >>> > Cross-Site Scripting, which allows an attacker to inject > javascript code > >>> > into a HTML page. Since the HTML page is delivered on behalf of the > > server, > > >>> > the "same origin policy" is violated. This allows an attacker to > steal > >>> > cookies from the victim. > >>> > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > phpPgAdmin-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phppgadmin-devel > Dave Smith -------------- :wq == :-) -------------- |