Left as private for now because I didn't look in to whether this is a serious vulnerability. It doesn't seem to be, but I error on the side of caution.
If you create a database that contains a table named '<img src=x onerror=alert(1)>'
, loading the Designer tab causes a Javascript error.
Complete error report information follows:
{
"pma_version": "4.5.0-dev",
"browser_name": "FIREFOX",
"browser_version": "38.0",
"user_os": "Mac",
"server_software": "Apache/2.2.22 (Debian)",
"user_agent_string": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0",
"locale": "en",
"configuration_storage": "enabled",
"php_version": "5.4.39-0+deb7u2",
"exception_type": "js",
"exception": {
"mode": "stack",
"name": "Error",
"message": "Syntax error, unrecognized expression: #check_vis_xsses.%27%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%27",
"stack":
{
"func": "s</fb.error",
"args": "",
"line": 2,
"column": "12720",
"context": [
"/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",
"!function(a,b){\"object\"==typeof module&&\"object\"==typeof module.exports?mod//...",
"if(k&&j[k&&(e||j[k].data)||void 0!==d||\"string\"!=typeof b)return k||(k=i?a//...",
"},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...",
";",
"",
"function sprintf() {"
],
"filename": "jquery/jquery-1.11.1.min.js"
},
{
"func": "s</fb.tokenize",>klzzwxh:0112 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0113 "!function(a,b){klzzwxh:0007objectklzzwxh:0008==typeof module&&klzzwxh:0009objectklzzwxh:0010==typeof module.exports?mod//...",klzzwxh:0114 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "s</fb.select",>klzzwxh:0118 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0119 "!function(a,b){klzzwxh:0013objectklzzwxh:0014==typeof module&&klzzwxh:0015objectklzzwxh:0016==typeof module.exports?mod//...",klzzwxh:0120 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "fb", "args": "", "line": 2, "column": "7352", "context": klzzwxh:0124 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0125 "!function(a,b){klzzwxh:0019objectklzzwxh:0020==typeof module&&klzzwxh:0021objectklzzwxh:0022==typeof module.exports?mod//...",klzzwxh:0126 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": ".find", "args": "", "line": 2, "column": "23593", "context": klzzwxh:0130 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0131 "!function(a,b){klzzwxh:0025objectklzzwxh:0026==typeof module&&klzzwxh:0027objectklzzwxh:0028==typeof module.exports?mod//...",klzzwxh:0132 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "m.fn.init", "args": "", "line": 2, "column": "24160", "context": klzzwxh:0136 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0137 "!function(a,b){klzzwxh:0031objectklzzwxh:0032==typeof module&&klzzwxh:0033objectklzzwxh:0034==typeof module.exports?mod//...",klzzwxh:0138 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "m", "args": "", "line": 2, "column": "393", "context": klzzwxh:0142 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0143 "!function(a,b){klzzwxh:0037objectklzzwxh:0038==typeof module&&klzzwxh:0039objectklzzwxh:0040==typeof module.exports?mod//...",klzzwxh:0144 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "displayErrors", "args": "", "line": 364, "column": "22", "context": klzzwxh:0148 " return item !== '';",klzzwxh:0149 " };",klzzwxh:0150 "",klzzwxh:0151 " for (var field_id in error_list) {",klzzwxh:0152 " var errors = error_list[field_id;", " var $field = $('#' + field_id);", " var isFieldset = $field.attr('tagName') == 'FIELDSET';", " var $errorCnt;", " if (isFieldset) {", " $errorCnt = $field.find('dl.errors');", " } else {" ], "filename": "config.js" }, { "func": "setupValidation", "args": "", "line": 531, "column": "9", "context": klzzwxh:0154 " // run all fieldset validators",klzzwxh:0155 " $('fieldset').each(function () {",klzzwxh:0156 " validate_fieldset(this, false, errors);",klzzwxh:0157 " });",klzzwxh:0158 "",klzzwxh:0159 " displayErrors(errors);",klzzwxh:0160 " } else if ($check_page_refresh) {",klzzwxh:0161 " $check_page_refresh.val('1');",klzzwxh:0162 " }",klzzwxh:0163 "}",klzzwxh:0164 ""klzzwxh:0165 , "filename": "config.js" }, { "func": "?", "args": "", "line": 538, "column": "5", "context": klzzwxh:0167 " $check_page_refresh.val('1');",klzzwxh:0168 " }",klzzwxh:0169 "}",klzzwxh:0170 "",klzzwxh:0171 "AJAX.registerOnload('config.js', function () {",klzzwxh:0172 " setupValidation();",klzzwxh:0173 "});",klzzwxh:0174 "",klzzwxh:0175 "//",klzzwxh:0176 "// END: Form validation and field operations",klzzwxh:0177 "// ------------------------------------------------------------------"klzzwxh:0178 , "filename": "config.js" }, { "func": "ErrorReport.wrap_function/new_func", "args": "", "line": 276, "column": "28", "context": klzzwxh:0180 " */",klzzwxh:0181 " wrap_function: function (func) {",klzzwxh:0182 " if (!func.wrapped) {",klzzwxh:0183 " var new_func = function () {",klzzwxh:0184 " try {",klzzwxh:0185 " return func.apply(this, arguments);",klzzwxh:0186 " } catch (x) {",klzzwxh:0187 " TraceKit.report(x);",klzzwxh:0188 " }",klzzwxh:0189 " };",klzzwxh:0190 " new_func.wrapped = true;"klzzwxh:0191 , "filename": "error_report.js" }, { "func": "m.event.dispatch", "args": "", "line": 3, "column": "8384", "context": klzzwxh:0193 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0194 "!function(a,b){klzzwxh:0043objectklzzwxh:0044==typeof module&&klzzwxh:0045objectklzzwxh:0046==typeof module.exports?mod//...",klzzwxh:0195 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {", "/*" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "$event.dispatch", "args": "", "line": 373, "column": "9", "context": klzzwxh:0199 "$event.dispatch = function( event ){",klzzwxh:0200 "klzzwxh:0049if ( $.data( this, klzzwxh:0050suppress.klzzwxh:0051+ event.type ) - new Date().getTime() > 0 ){",klzzwxh:0201 "klzzwxh:0052klzzwxh:0053$.removeData( this, klzzwxh:0054suppress.klzzwxh:0055+ event.type );",klzzwxh:0202 "klzzwxh:0056klzzwxh:0057return;",klzzwxh:0203 "klzzwxh:0058}",klzzwxh:0204 "klzzwxh:0059return $dispatch.apply( this, arguments );",klzzwxh:0205 "};",klzzwxh:0206 "",klzzwxh:0207 "// event fix hooks for touch events...",klzzwxh:0208 "var touchHooks = ",klzzwxh:0209 "$event.fixHooks.touchstart = "klzzwxh:0210 , "filename": "jquery/jquery.event.drag-2.2.js" }, { "func": "m.event.add/r.handle", "args": "", "line": 3, "column": "5122", "context": klzzwxh:0212 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0213 "!function(a,b){klzzwxh:0060objectklzzwxh:0061==typeof module&&klzzwxh:0062objectklzzwxh:0063==typeof module.exports?mod//...",klzzwxh:0214 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {", "/*" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "m.event.trigger", "args": "", "line": 3, "column": "7535", "context": klzzwxh:0218 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0219 "!function(a,b){klzzwxh:0066objectklzzwxh:0067==typeof module&&klzzwxh:0068objectklzzwxh:0069==typeof module.exports?mod//...",klzzwxh:0220 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {", "/*" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": ".trigger/<", "args": "", "line": 3, "column": "15396", "context": klzzwxh:0224 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0225 "!function(a,b){klzzwxh:0072objectklzzwxh:0073==typeof module&&klzzwxh:0074objectklzzwxh:0075==typeof module.exports?mod//...",klzzwxh:0226 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {", "/*" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": ".each", "args": "", "line": 2, "column": "2971", "context": klzzwxh:0230 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0231 "!function(a,b){klzzwxh:0078objectklzzwxh:0079==typeof module&&klzzwxh:0080objectklzzwxh:0081==typeof module.exports?mod//...",klzzwxh:0232 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "m.prototype.each", "args": "", "line": 2, "column": "833", "context": klzzwxh:0236 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0237 "!function(a,b){klzzwxh:0084objectklzzwxh:0085==typeof module&&klzzwxh:0086objectklzzwxh:0087==typeof module.exports?mod//...",klzzwxh:0238 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": ".trigger", "args": "", "line": 3, "column": "15375", "context": klzzwxh:0242 "/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/li//...",klzzwxh:0243 "!function(a,b){klzzwxh:0090objectklzzwxh:0091==typeof module&&klzzwxh:0092objectklzzwxh:0093==typeof module.exports?mod//...",klzzwxh:0244 "if(k&&j[k&&(e||j[k].data)||void 0!==d||\\"string\\"!=typeof b)return k||(k=i?a//...", "},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this)://...", ";", "", "function sprintf() {", "/*" ], "filename": "jquery/jquery-1.11.1.min.js" }, { "func": "AJAX.fireOnload", "args": "", "line": 109, "column": "9", "context": klzzwxh:0252 " klzzwxh:0251/",klzzwxh:0253 " fireOnload: function (file) {",klzzwxh:0254 " var eventName = 'onload_' + AJAX.hash(file);",klzzwxh:0255 " $(document).trigger(eventName);",klzzwxh:0256 " if (this._debug) {",klzzwxh:0257 " console.log(",klzzwxh:0258 " // no need to translate",klzzwxh:0259 " klzzwxh:0096Fired event klzzwxh:0097 + eventName + klzzwxh:0098 for file klzzwxh:0099 + file",klzzwxh:0260 " );"klzzwxh:0261 , "filename": "ajax.js" }, { "func": "AJAX.scriptHandler.done", "args": "", "line": 555, "column": "17", "context": klzzwxh:0263 " done: function () {",klzzwxh:0264 " if (typeof ErrorReport !== 'undefined') {",klzzwxh:0265 " ErrorReport.wrap_global_functions();",klzzwxh:0266 " }",klzzwxh:0267 " for (var i in this._scriptsToBeFired) {",klzzwxh:0268 " AJAX.fireOnload(this._scriptsToBeFired[i);", " }", " AJAX.active = false;", " },", " /**", " * Appends a script element to the head to load the scripts" ], "filename": "ajax.js" }, { "func": "?", "args": "", "line": 42, "column": "1", "context": klzzwxh:0270 " });",klzzwxh:0271 " }",klzzwxh:0272 "});",klzzwxh:0273 ";",klzzwxh:0274 "",klzzwxh:0275 "AJAX.scriptHandler.done();"klzzwxh:0276 , "filename": "pmd/init.js" } ], "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0", "incomplete": "false", "uri": "db_designer.php?target=" }, "script_name": "db_designer.php", "microhistory": { "pages": klzzwxh:0278 {klzzwxh:0279 "hash": "index.php?db=test&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3"klzzwxh:0280 },klzzwxh:0281 {klzzwxh:0282 "hash": "db_structure.php?db=xsses&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3",klzzwxh:0283 "params": {klzzwxh:0284 "opendb_url": "db_structure.php",klzzwxh:0285 "safari_browser": "0",klzzwxh:0286 "collation_connection": "utf8mb4_unicode_ci",klzzwxh:0287 "lang": "en",klzzwxh:0288 "server": "1",klzzwxh:0289 "text_dir": "ltr",klzzwxh:0290 "show_databases_navigation_as_tree": "true",klzzwxh:0291 "pma_text_default_tab": "Browse",klzzwxh:0292 "pma_text_left_default_tab": "Structure",klzzwxh:0293 "pma_text_left_default_tab2": "false",klzzwxh:0294 "LimitChars": "50",klzzwxh:0295 "pftext": "",klzzwxh:0296 "confirm": "true",klzzwxh:0297 "LoginCookieValidity": "1440",klzzwxh:0298 "logged_in": "true",klzzwxh:0299 "default_fk_check_value": "1",klzzwxh:0300 "auth_type": "cookie"klzzwxh:0301 }klzzwxh:0302 },klzzwxh:0303 {klzzwxh:0304 "hash": "db_designer.php?db=xsses&table=&server=1&target=&token=762abf7bf5135945490cf8095f2ccae3",klzzwxh:0305 "params": {klzzwxh:0306 "opendb_url": "db_structure.php",klzzwxh:0307 "safari_browser": "0",klzzwxh:0308 "collation_connection": "utf8mb4_unicode_ci",klzzwxh:0309 "lang": "en",klzzwxh:0310 "server": "1",klzzwxh:0311 "text_dir": "ltr",klzzwxh:0312 "show_databases_navigation_as_tree": "true",klzzwxh:0313 "pma_text_default_tab": "Browse",klzzwxh:0314 "pma_text_left_default_tab": "Structure",klzzwxh:0315 "pma_text_left_default_tab2": "false",klzzwxh:0316 "LimitChars": "50",klzzwxh:0317 "pftext": "",klzzwxh:0318 "confirm": "true",klzzwxh:0319 "LoginCookieValidity": "1440",klzzwxh:0320 "logged_in": "true",klzzwxh:0321 "default_fk_check_value": "1",klzzwxh:0322 "auth_type": "cookie"klzzwxh:0323 }klzzwxh:0324 }klzzwxh:0325 , "current_index": "3" } }
Diff:
Looks like I am unable to recreate the issue. Can you attach an export of the database, so I can try again.
To be clear this is with the latest git version.
It's the quotes in the table name that created this issue. For example you can recreate the issue with the table name
a'b
.Should be fixed with https://github.com/phpmyadmin/phpmyadmin/commit/72cc1f9f513cb7252e40e46ce74f5b8ce2449ffc
This comment is posted automatically by phpMyAdmin's error-reporting-server.
This comment is posted automatically by phpMyAdmin's error-reporting-server.