Menu

#4958 Designer Javascript error with specially crafted table name

Latest_Git
fixed
Madhura Jayaratne
None
Normal
2015-06-15
2015-06-13
Isaac Bennetch
No

Left as private for now because I didn't look in to whether this is a serious vulnerability. It doesn't seem to be, but I error on the side of caution.

If you create a database that contains a table named '<img src=x onerror=alert(1)>', loading the Designer tab causes a Javascript error.

Complete error report information follows:



{

    "pma_version": "4.5.0-dev",

    "browser_name": "FIREFOX",

    "browser_version": "38.0",

    "user_os": "Mac",

    "server_software": "Apache/2.2.22 (Debian)",

    "user_agent_string": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0",

    "locale": "en",

    "configuration_storage": "enabled",

    "php_version": "5.4.39-0+deb7u2",

    "exception_type": "js",

    "exception": {

        "mode": "stack",

        "name": "Error",

        "message": "Syntax error, unrecognized expression: #check_vis_xsses.%27%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%27",

        "stack": 

            {

                "func": "s</fb.error",

                "args": "",

                "line": 2,

                "column": "12720",

                "context": [

                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",

                    "!function(a,b){\"object\"==typeof module&&\"object\"==typeof module.exports?mod//...",

                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\"string\"!=typeof b)return k||(k=i?a//...",

                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",

                    ";",

                    "",

                    "function sprintf() {"

                ],

                "filename": "jquery/jquery-1.11.1.min.js"

            },

            {

                "func": "s</fb.tokenize",>klzzwxh:0112                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0113                    "!function(a,b){klzzwxh:0007objectklzzwxh:0008==typeof module&&klzzwxh:0009objectklzzwxh:0010==typeof module.exports?mod//...",klzzwxh:0114                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "s</fb.select",>klzzwxh:0118                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0119                    "!function(a,b){klzzwxh:0013objectklzzwxh:0014==typeof module&&klzzwxh:0015objectklzzwxh:0016==typeof module.exports?mod//...",klzzwxh:0120                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "fb",
                "args": "",
                "line": 2,
                "column": "7352",
                "context": klzzwxh:0124                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0125                    "!function(a,b){klzzwxh:0019objectklzzwxh:0020==typeof module&&klzzwxh:0021objectklzzwxh:0022==typeof module.exports?mod//...",klzzwxh:0126                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": ".find",
                "args": "",
                "line": 2,
                "column": "23593",
                "context": klzzwxh:0130                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0131                    "!function(a,b){klzzwxh:0025objectklzzwxh:0026==typeof module&&klzzwxh:0027objectklzzwxh:0028==typeof module.exports?mod//...",klzzwxh:0132                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "m.fn.init",
                "args": "",
                "line": 2,
                "column": "24160",
                "context": klzzwxh:0136                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0137                    "!function(a,b){klzzwxh:0031objectklzzwxh:0032==typeof module&&klzzwxh:0033objectklzzwxh:0034==typeof module.exports?mod//...",klzzwxh:0138                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "m",
                "args": "",
                "line": 2,
                "column": "393",
                "context": klzzwxh:0142                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0143                    "!function(a,b){klzzwxh:0037objectklzzwxh:0038==typeof module&&klzzwxh:0039objectklzzwxh:0040==typeof module.exports?mod//...",klzzwxh:0144                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "displayErrors",
                "args": "",
                "line": 364,
                "column": "22",
                "context": klzzwxh:0148                    "        return item !== '';",klzzwxh:0149                    "    };",klzzwxh:0150                    "",klzzwxh:0151                    "    for (var field_id in error_list) {",klzzwxh:0152                    "        var errors = error_list[field_id;",
                    "        var $field = $('#' + field_id);",
                    "        var isFieldset = $field.attr('tagName') == 'FIELDSET';",
                    "        var $errorCnt;",
                    "        if (isFieldset) {",
                    "            $errorCnt = $field.find('dl.errors');",
                    "        } else {"
                ],
                "filename": "config.js"
            },
            {
                "func": "setupValidation",
                "args": "",
                "line": 531,
                "column": "9",
                "context": klzzwxh:0154                    "        // run all fieldset validators",klzzwxh:0155                    "        $('fieldset').each(function () {",klzzwxh:0156                    "            validate_fieldset(this, false, errors);",klzzwxh:0157                    "        });",klzzwxh:0158                    "",klzzwxh:0159                    "        displayErrors(errors);",klzzwxh:0160                    "    } else if ($check_page_refresh) {",klzzwxh:0161                    "        $check_page_refresh.val('1');",klzzwxh:0162                    "    }",klzzwxh:0163                    "}",klzzwxh:0164                    ""klzzwxh:0165                ,
                "filename": "config.js"
            },
            {
                "func": "?",
                "args": "",
                "line": 538,
                "column": "5",
                "context": klzzwxh:0167                    "        $check_page_refresh.val('1');",klzzwxh:0168                    "    }",klzzwxh:0169                    "}",klzzwxh:0170                    "",klzzwxh:0171                    "AJAX.registerOnload('config.js', function () {",klzzwxh:0172                    "    setupValidation();",klzzwxh:0173                    "});",klzzwxh:0174                    "",klzzwxh:0175                    "//",klzzwxh:0176                    "// END: Form validation and field operations",klzzwxh:0177                    "// ------------------------------------------------------------------"klzzwxh:0178                ,
                "filename": "config.js"
            },
            {
                "func": "ErrorReport.wrap_function/new_func",
                "args": "",
                "line": 276,
                "column": "28",
                "context": klzzwxh:0180                    "     */",klzzwxh:0181                    "    wrap_function: function (func) {",klzzwxh:0182                    "        if (!func.wrapped) {",klzzwxh:0183                    "            var new_func = function () {",klzzwxh:0184                    "                try {",klzzwxh:0185                    "                    return func.apply(this, arguments);",klzzwxh:0186                    "                } catch (x) {",klzzwxh:0187                    "                    TraceKit.report(x);",klzzwxh:0188                    "                }",klzzwxh:0189                    "            };",klzzwxh:0190                    "            new_func.wrapped = true;"klzzwxh:0191                ,
                "filename": "error_report.js"
            },
            {
                "func": "m.event.dispatch",
                "args": "",
                "line": 3,
                "column": "8384",
                "context": klzzwxh:0193                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0194                    "!function(a,b){klzzwxh:0043objectklzzwxh:0044==typeof module&&klzzwxh:0045objectklzzwxh:0046==typeof module.exports?mod//...",klzzwxh:0195                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {",
                    "/*"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "$event.dispatch",
                "args": "",
                "line": 373,
                "column": "9",
                "context": klzzwxh:0199                    "$event.dispatch = function( event ){",klzzwxh:0200                    "klzzwxh:0049if ( $.data( this, klzzwxh:0050suppress.klzzwxh:0051+ event.type ) - new Date().getTime() > 0 ){",klzzwxh:0201                    "klzzwxh:0052klzzwxh:0053$.removeData( this, klzzwxh:0054suppress.klzzwxh:0055+ event.type );",klzzwxh:0202                    "klzzwxh:0056klzzwxh:0057return;",klzzwxh:0203                    "klzzwxh:0058}",klzzwxh:0204                    "klzzwxh:0059return $dispatch.apply( this, arguments );",klzzwxh:0205                    "};",klzzwxh:0206                    "",klzzwxh:0207                    "// event fix hooks for touch events...",klzzwxh:0208                    "var touchHooks = ",klzzwxh:0209                    "$event.fixHooks.touchstart = "klzzwxh:0210                ,
                "filename": "jquery/jquery.event.drag-2.2.js"
            },
            {
                "func": "m.event.add/r.handle",
                "args": "",
                "line": 3,
                "column": "5122",
                "context": klzzwxh:0212                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0213                    "!function(a,b){klzzwxh:0060objectklzzwxh:0061==typeof module&&klzzwxh:0062objectklzzwxh:0063==typeof module.exports?mod//...",klzzwxh:0214                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {",
                    "/*"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "m.event.trigger",
                "args": "",
                "line": 3,
                "column": "7535",
                "context": klzzwxh:0218                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0219                    "!function(a,b){klzzwxh:0066objectklzzwxh:0067==typeof module&&klzzwxh:0068objectklzzwxh:0069==typeof module.exports?mod//...",klzzwxh:0220                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {",
                    "/*"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": ".trigger/<",
                "args": "",
                "line": 3,
                "column": "15396",
                "context": klzzwxh:0224                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0225                    "!function(a,b){klzzwxh:0072objectklzzwxh:0073==typeof module&&klzzwxh:0074objectklzzwxh:0075==typeof module.exports?mod//...",klzzwxh:0226                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {",
                    "/*"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": ".each",
                "args": "",
                "line": 2,
                "column": "2971",
                "context": klzzwxh:0230                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0231                    "!function(a,b){klzzwxh:0078objectklzzwxh:0079==typeof module&&klzzwxh:0080objectklzzwxh:0081==typeof module.exports?mod//...",klzzwxh:0232                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "m.prototype.each",
                "args": "",
                "line": 2,
                "column": "833",
                "context": klzzwxh:0236                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0237                    "!function(a,b){klzzwxh:0084objectklzzwxh:0085==typeof module&&klzzwxh:0086objectklzzwxh:0087==typeof module.exports?mod//...",klzzwxh:0238                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": ".trigger",
                "args": "",
                "line": 3,
                "column": "15375",
                "context": klzzwxh:0242                    "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0243                    "!function(a,b){klzzwxh:0090objectklzzwxh:0091==typeof module&&klzzwxh:0092objectklzzwxh:0093==typeof module.exports?mod//...",klzzwxh:0244                    "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...",
                    "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
                    ";",
                    "",
                    "function sprintf() {",
                    "/*"
                ],
                "filename": "jquery/jquery-1.11.1.min.js"
            },
            {
                "func": "AJAX.fireOnload",
                "args": "",
                "line": 109,
                "column": "9",
                "context": klzzwxh:0252                    "     klzzwxh:0251/",klzzwxh:0253                    "    fireOnload: function (file) {",klzzwxh:0254                    "        var eventName = 'onload_' + AJAX.hash(file);",klzzwxh:0255                    "        $(document).trigger(eventName);",klzzwxh:0256                    "        if (this._debug) {",klzzwxh:0257                    "            console.log(",klzzwxh:0258                    "                // no need to translate",klzzwxh:0259                    "                klzzwxh:0096Fired event klzzwxh:0097 + eventName + klzzwxh:0098 for file klzzwxh:0099 + file",klzzwxh:0260                    "            );"klzzwxh:0261                ,
                "filename": "ajax.js"
            },
            {
                "func": "AJAX.scriptHandler.done",
                "args": "",
                "line": 555,
                "column": "17",
                "context": klzzwxh:0263                    "        done: function () {",klzzwxh:0264                    "            if (typeof ErrorReport !== 'undefined') {",klzzwxh:0265                    "                ErrorReport.wrap_global_functions();",klzzwxh:0266                    "            }",klzzwxh:0267                    "            for (var i in this._scriptsToBeFired) {",klzzwxh:0268                    "                AJAX.fireOnload(this._scriptsToBeFired[i);",
                    "            }",
                    "            AJAX.active = false;",
                    "        },",
                    "        /**",
                    "         * Appends a script element to the head to load the scripts"
                ],
                "filename": "ajax.js"
            },
            {
                "func": "?",
                "args": "",
                "line": 42,
                "column": "1",
                "context": klzzwxh:0270                    "        });",klzzwxh:0271                    "    }",klzzwxh:0272                    "});",klzzwxh:0273                    ";",klzzwxh:0274                    "",klzzwxh:0275                    "AJAX.scriptHandler.done();"klzzwxh:0276                ,
                "filename": "pmd/init.js"
            }
        ],
        "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0",
        "incomplete": "false",
        "uri": "db_designer.php?target="
    },
    "script_name": "db_designer.php",
    "microhistory": {
        "pages": klzzwxh:0278            {klzzwxh:0279                "hash": "index.php?db=test&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3"klzzwxh:0280            },klzzwxh:0281            {klzzwxh:0282                "hash": "db_structure.php?db=xsses&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3",klzzwxh:0283                "params": {klzzwxh:0284                    "opendb_url": "db_structure.php",klzzwxh:0285                    "safari_browser": "0",klzzwxh:0286                    "collation_connection": "utf8mb4_unicode_ci",klzzwxh:0287                    "lang": "en",klzzwxh:0288                    "server": "1",klzzwxh:0289                    "text_dir": "ltr",klzzwxh:0290                    "show_databases_navigation_as_tree": "true",klzzwxh:0291                    "pma_text_default_tab": "Browse",klzzwxh:0292                    "pma_text_left_default_tab": "Structure",klzzwxh:0293                    "pma_text_left_default_tab2": "false",klzzwxh:0294                    "LimitChars": "50",klzzwxh:0295                    "pftext": "",klzzwxh:0296                    "confirm": "true",klzzwxh:0297                    "LoginCookieValidity": "1440",klzzwxh:0298                    "logged_in": "true",klzzwxh:0299                    "default_fk_check_value": "1",klzzwxh:0300                    "auth_type": "cookie"klzzwxh:0301                }klzzwxh:0302            },klzzwxh:0303            {klzzwxh:0304                "hash": "db_designer.php?db=xsses&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3",klzzwxh:0305                "params": {klzzwxh:0306                    "opendb_url": "db_structure.php",klzzwxh:0307                    "safari_browser": "0",klzzwxh:0308                    "collation_connection": "utf8mb4_unicode_ci",klzzwxh:0309                    "lang": "en",klzzwxh:0310                    "server": "1",klzzwxh:0311                    "text_dir": "ltr",klzzwxh:0312                    "show_databases_navigation_as_tree": "true",klzzwxh:0313                    "pma_text_default_tab": "Browse",klzzwxh:0314                    "pma_text_left_default_tab": "Structure",klzzwxh:0315                    "pma_text_left_default_tab2": "false",klzzwxh:0316                    "LimitChars": "50",klzzwxh:0317                    "pftext": "",klzzwxh:0318                    "confirm": "true",klzzwxh:0319                    "LoginCookieValidity": "1440",klzzwxh:0320                    "logged_in": "true",klzzwxh:0321                    "default_fk_check_value": "1",klzzwxh:0322                    "auth_type": "cookie"klzzwxh:0323                }klzzwxh:0324            }klzzwxh:0325        ,
        "current_index": "3"
    }
}

Discussion

  • Isaac Bennetch

    Isaac Bennetch - 2015-06-13
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,6 +1,6 @@
 Left as private for now because I didn't look in to whether this is a serious vulnerability. It doesn't seem to be, but I error on the side of caution.

-If you create a database that contains a table named <tt>'<img src=x onerror=alert(1)>'</tt>, loading the Designer tab causes a Javascript error.
+If you create a database that contains a table named `'<img src=x onerror=alert(1)>'`, loading the Designer tab causes a Javascript error.

 Complete error report information follows:
 <pre>
     

  • Madhura Jayaratne

    Madhura Jayaratne - 2015-06-13

    Looks like I am unable to recreate the issue. Can you attach an export of the database, so I can try again.

     

  • Isaac Bennetch

    Isaac Bennetch - 2015-06-13
    • Group: 4.4.9 --> Latest_Git
     

  • Isaac Bennetch

    Isaac Bennetch - 2015-06-13

    To be clear this is with the latest git version.

    CREATE DATABASE IF NOT EXISTS `aa` DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
USE `aa`;

CREATE TABLE IF NOT EXISTS `''` (
  `t` int(11) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
     

  • Madhura Jayaratne

    Madhura Jayaratne - 2015-06-15
    • assigned_to: Madhura Jayaratne
     

  • Madhura Jayaratne

    Madhura Jayaratne - 2015-06-15

    It's the quotes in the table name that created this issue. For example you can recreate the issue with the table name a'b.

     

  • Madhura Jayaratne

    Madhura Jayaratne - 2015-06-15
    • status: open --> fixed
     

  • Madhura Jayaratne

    Madhura Jayaratne - 2015-06-15
    • private: Yes --> No
     

  • phpMyAdmin bot

    phpMyAdmin bot - 2015-07-14
    Param Value
    Error Type TypeError
    Error Message field_id.match(...) is null
    Exception Type js
    Link Report#11874

    This comment is posted automatically by phpMyAdmin's error-reporting-server.

     

  • phpMyAdmin bot

    phpMyAdmin bot - 2015-07-14
    Param Value
    Error Type TypeError
    Error Message field_id.match(...) is null
    Exception Type js
    Link Report#12084

    This comment is posted automatically by phpMyAdmin's error-reporting-server.