When you insert a wrong valid table name, doc_link
function is called.
The problem is that when you put a wrong table name on MariaDB, the table parameter is not properly escaped, hence causing XSS on the client side.
It should affect on the latest browsers.
The following URL should trigger XSS
http://domain/?server=db&username=root&db=mysql&table=event%27%3E%3Csvg/onload=alert(document.cookie)%3E
Thanks, I was able to trigger an error and fix the bug but XSS was prevented by CSP. Which browser do you use?
I checked back the issue and I found out some root cause of triggers here.
I've installed the adminer with the default docker setup.
By the default installation, adminer comes with
error_reporting(6135);
https://github.com/vrana/adminer/blob/f6880b59d6ab40444407616701c1376c90aba5a5/compile.php#L7
The problem with this is that the CSP header gets discarded since the error is sent even before the CSP headers are set. I guess it is better off to use the header before the actual call.
tested in latest Chrome and Firefox.
I see, thanks for the additional information. This requires PDO and Adminer 4.7.8-4.8.0 (which has broken error reporting in PDO), that's why I wasn't able to reproduce it.
do you have plans to file up CVE on this issue?
https://github.com/vrana/adminer/security/advisories
my GitHub ID is stypr.
Sent https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc to GitHub for review.