[adminer-tracker] [ adminer-Bugs and Features-3392685 ] security concerns, adminer passing urls thr
Database management in a single PHP file
Brought to you by:
jakubvrana
From: SourceForge.net <no...@so...> - 2011-10-27 22:27:04
|
Bugs and Features item #3392685, was opened at 2011-08-16 22:02 Message generated for change (Comment added) made by langpavel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3392685&group_id=264133 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Common Group: 3.3.3 Status: Open Resolution: None Priority: 5 Private: No Submitted By: schipplock () Assigned to: Jakub Vrána (jakubvrana) Summary: security concerns, adminer passing urls through adminer.org Initial Comment: Hi, I like adminer a lot but I noticed something that's really not ok. When I have http links in the table adminer makes them "clickable" and if click them in the adminer "select" view, it passes the url through adminer.org. http://www.adminer.org/redirect/?url=http://www.bild.de <-- e.g. will redirect you to bild.de. I don't see a technical requirement in here nor an improvement. The problem here is that you know all links clicked within adminer and you also know where the links came from. That's really not acceptable. The source says it's to hide the referer. Well, at least adminer.org knows them now. I suggest to not make links clickable by default and simply let the user decide. Adminer has a plugin system so that's the way to go. For now adminer.org is just some random host which personally don't trust. The host; not the project. ---------------------------------------------------------------------- Comment By: langpavel (langpavel) Date: 2011-10-28 00:27 Message: Hi. Jakub Vrána is evil :-) change line 348 in select.inc.php from github: if ($protocol = is_url($row[$key])) { $link = ($protocol == "http" && $HTTPS ? $row[$key] // HTTP links from HTTPS pages don't receive Referer automatically : "$protocol://www.adminer.org/redirect/?url=" . urlencode($row[$key]) // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5 ); } This is only one line of code what do this evil redirect. By the way - Jakub should published list of all redirects from adminer users (should be statistical integer ;-) ) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3392685&group_id=264133 |