#441 XSS when displaying bytea fields

[basteln3rk]

I installed phpPgAdmin 5.1 (PHP 5.3.2-1ubuntu4.21) from packages, which I believe to be the current version.

In general, results from queries seem to pass through something like htmlspecialchars, and tags are thus "escaped" from the browser. However, this is not the case for binary (bytea) fields.

Consider the following query:

SELECT '[script]alert("hallo")[/script][b]aaa[/b]'::bytea

(where I have replaced less/greater than signs with brackets, as the html tags didn't render correctly in preview)

Running this query on Firefox 24 indeed produces the alert, so the "injected" JavaScript is executed. On Chrome 28, however, a native XSS protection blocks the JS from being executed. Still, there may be problems of information leakage (e.g., the URL of the phppgadmin system could be obtained by outsiders through referrer headers)

[basteln3rk]

This problem appears to be caused by the fact that function escapeBytea in class Postgres (classes/database/Postgres.php, line 232) does nothing.

[basteln3rk]

I have investigated further, and found the following results:

• xss.sql creates a sample table with the javascript contained in a bytea field
• when I use pgadmin to "browse" the table, both Chrome and Firefox will execute the script.
• when creating an SQL query manually, the results are loaded through an XHR request. Chrome's XSS protection prevents the script from being executed in this case; however, Firefox still runs it.

Indeed, a one-line fix to the escapteBytea function of Postgres.php fixes the issue (see attached patch file)

I want to emphasise the seriousness of this bug. Anyone who can insert content into a bytea field (say through a file-upload on a web site) of a table that will subsequently be viewed in phppgadmin can use this in principle to run queries on the database with the account currently logged, change passwords or create new accounts. So I would be grateful if you could address this issue for the next release.

Thanks!

[J.Guillaume (ioguix) de Rorthais]

Hello basteln3rk,

I believe this bug was introduced by commit c724073960af20805c60d873d94a0c38de958847 ...

I just fixed it in our current dev branch:
https://github.com/phppgadmin/phppgadmin/commit/dfcf70ee21e0ca1520a22df5a7fd7aeb928075d8

Thank you for your bug report!

[basteln3rk]

thanks for fixing it

[Robert Treat]

I am re-opening this bug because the fix that was submitted breaks the fix that was put in for https://sourceforge.net/p/phppgadmin/bugs/407/.

Both the xss issue and the bytea problem are important, but the bytea problem leads to data corruption even when there are no malicious actors, so I think it is the more serious of the two, and this fix should be reverted if we can't come up with something better.