Menu

#797 XSS via the table parameter

Git
closed-fixed
nobody
None
5
2021-05-14
2021-05-07
Harold Kim
No

When you insert a wrong valid table name, doc_link function is called.
The problem is that when you put a wrong table name on MariaDB, the table parameter is not properly escaped, hence causing XSS on the client side.

It should affect on the latest browsers.
The following URL should trigger XSS

http://domain/?server=db&username=root&db=mysql&table=event%27%3E%3Csvg/onload=alert(document.cookie)%3E

1 Attachments
triggered.png

Discussion

  • Jakub Vrána

    Jakub Vrána - 2021-05-14
    • status: open --> closed-fixed
     

  • Jakub Vrána

    Jakub Vrána - 2021-05-14

    Thanks, I was able to trigger an error and fix the bug but XSS was prevented by CSP. Which browser do you use?

     

  • Harold Kim

    Harold Kim - 2021-05-14

    I checked back the issue and I found out some root cause of triggers here.

    I've installed the adminer with the default docker setup.

    By the default installation, adminer comes with error_reporting(6135);
    https://github.com/vrana/adminer/blob/f6880b59d6ab40444407616701c1376c90aba5a5/compile.php#L7

    The problem with this is that the CSP header gets discarded since the error is sent even before the CSP headers are set. I guess it is better off to use the header before the actual call.

    tested in latest Chrome and Firefox.

    <br />
<b>Warning</b>:  PDO::query(): SQLSTATE[42S02]: Base table or view not found: 1146 Table 'mysql.event'&gt;&lt;s&gt;&lt;svg/onload=alert(1)&gt;' doesn't exist in <b>/var/www/html/adminer.php</b> on line <b>185</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1442</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/adminer.php:185) in <b>/var/www/html/adminer.php</b> on line <b>1443</b><br />
<!DOCTYPE html>
     

  • Jakub Vrána

    Jakub Vrána - 2021-05-14

    I see, thanks for the additional information. This requires PDO and Adminer 4.7.8-4.8.0 (which has broken error reporting in PDO), that's why I wasn't able to reproduce it.

     

  • Jakub Vrána

    Jakub Vrána - 2021-05-14
    • private: Yes --> No
     

  • Harold Kim

    Harold Kim - 2021-05-14

    do you have plans to file up CVE on this issue?

    https://github.com/vrana/adminer/security/advisories

    my GitHub ID is stypr.

     

Log in to post a comment.