Adminer / Bugs and Features / #436 adminer username xss

#436 adminer username xss

Milestone: 4.1.0

Status: closed-fixed

Owner: nobody

Labels: XSS (2)

Priority: 9

Updated: 2015-02-07

Created: 2015-01-30

Creator: zeng zhen

Private: No

there is one xss security on "username" param
When access url like demo.adminer.org/adminer.php?username=root,one attacter can inject script codes like -> demo.adminer.org/adminer.php?username=root''><scRipt>alert('xss')</sCript>
I think it is really bad.
server is php5.6.4&mysql5.6.12

Discussion

Jakub Vrána - 2015-02-03

This is a very serious bug, thank you for the report. I'll fix it and release a new version of Adminer this week.

Please mark security bugs as private the next time.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- zeng zhen - 2015-02-04
  
  thank you for response .I'll mark private bugs private next time(wish never will have next time).
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jakub Vrána - 2015-02-03

status: open --> open-accepted

private: No --> Yes
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jakub Vrána - 2015-02-07

Fixed and released, thank you again for this report.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jakub Vrána - 2015-02-07

status: open-accepted --> closed-fixed

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

adminer username xss

Database management in a single PHP file

Group

Searches

Help

#436 adminer username xss

Discussion