[adminer-tracker] [ adminer-Bugs and Features-3392685 ] security concerns, adminer passing urls thr
Database management in a single PHP file
Brought to you by:
jakubvrana
From: SourceForge.net <no...@so...> - 2012-04-03 13:51:10
|
Bugs and Features item #3392685, was opened at 2011-08-16 13:02 Message generated for change (Comment added) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3392685&group_id=264133 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Common Group: 3.3.3 Status: Open Resolution: Accepted Priority: 5 Private: No Submitted By: schipplock () Assigned to: Jakub Vrána (jakubvrana) Summary: security concerns, adminer passing urls through adminer.org Initial Comment: Hi, I like adminer a lot but I noticed something that's really not ok. When I have http links in the table adminer makes them "clickable" and if click them in the adminer "select" view, it passes the url through adminer.org. http://www.adminer.org/redirect/?url=http://www.bild.de <-- e.g. will redirect you to bild.de. I don't see a technical requirement in here nor an improvement. The problem here is that you know all links clicked within adminer and you also know where the links came from. That's really not acceptable. The source says it's to hide the referer. Well, at least adminer.org knows them now. I suggest to not make links clickable by default and simply let the user decide. Adminer has a plugin system so that's the way to go. For now adminer.org is just some random host which personally don't trust. The host; not the project. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2012-04-03 06:51 Message: I loved your blog post.Thanks Again. Much obliged. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2012-04-03 06:01 Message: wow, awesome blog post.Really looking forward to read more. Keep writing. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2012-04-03 05:14 Message: Thank you ever so for you blog post.Really looking forward to read more. Awesome. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2012-04-03 04:41 Message: Thanks-a-mundo for the post.Really thank you! Keep writing. ---------------------------------------------------------------------- Comment By: Jakub Vrána (jakubvrana) Date: 2011-10-27 23:40 Message: The reason for this is to avoid leaking the Adminer installations URLs to random hosts linked from the user data (through the Referer header). The best way to avoid this is to run Adminer under HTTPS where the Referer is not set so no redirection is performed. However, I will make it pluginable. ---------------------------------------------------------------------- Comment By: langpavel (langpavel) Date: 2011-10-27 15:27 Message: Hi. Jakub Vrána is evil :-) change line 348 in select.inc.php from github: if ($protocol = is_url($row[$key])) { $link = ($protocol == "http" && $HTTPS ? $row[$key] // HTTP links from HTTPS pages don't receive Referer automatically : "$protocol://www.adminer.org/redirect/?url=" . urlencode($row[$key]) // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5 ); } This is only one line of code what do this evil redirect. By the way - Jakub should published list of all redirects from adminer users (should be statistical integer ;-) ) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3392685&group_id=264133 |