[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
20 Apr
2006
20 Apr
'06
4:31 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Garvin Hicking schrieb:
Hi!
Actually that's not a solution to the problem. PMA needs to be fed SQL commands,
and we need to accept the via POST.
yes, but we should escape it before displaying in browser
i
don't know ... if this is really a security problem we should consider give
our forms a token - and proceed only with valid token
IMHO SQL should be escaped
(and I wonder it is not). The only way to not allow XSRF/CSRF is to put tokens
into the form. BUT putting
token into the form means to things:
1. We need to utilize sessions. Only via sessions, form tokens could be easily
implemented, because a server-token needs to be compared with a client-token.
sessions already utilized
2. Implementing the tokens might be needed on
virtually every <form> PMA has.
That'a a buttload full of work to do. ;)
this can easily be implemented via PMA_generate_common_hidden_inputs();
also this token needs to be sent with get-requests/links
- --
Sebastian Mendel
www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFER0dNX/0lClpZDr4RAmOiAJoD8jw4y+7/2/ieyeBkkx++iEB+NACfQxUL
JN5eU9DXDHT79piRTZxem4c=
=qRtC
-----END PGP SIGNATURE-----
20 Apr
20 Apr
5:22 a.m.
New subject: [Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
Hi!
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
Seems I missed that, too. Since when does PMA use sessions, and what are they
currently used for? Did I also miss session saving of large SQL queries when
browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded
problems?
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
Actually
that's not a solution to the problem. PMA needs to be fed SQL
commands, and we need to accept the via POST.
yes, but we should escape it before displaying in browser 1. We need to
utilize sessions. Only via sessions, form tokens could be
easily implemented, because a server-token needs to be compared with a
client-token.
sessions already utilized
5:35 a.m.
New subject: [Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Garvin Hicking schrieb:
Hi!
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
Seems I missed that, too. Since when does PMA use sessions, and what are they
2.8
Actually
that's not a solution to the problem. PMA needs to be fed SQL
commands, and we need to accept the via POST.
yes, but we should escape it before
displaying in browser 1. We
need to utilize sessions. Only via sessions, form tokens could be
easily implemented, because a server-token needs to be compared with a
client-token.
sessions already utilized currently used for? Did I also miss session saving of
large SQL queries when
no, this is not done at the moment
only request independent data is saved in session, data that does not
change if someone uses multiple windows with phpMyAdmin, this is
currently only configuration and themes
browsing rows to get rid of the "?" editing
buttons and max-GET-length exceeded
problems?
i do not know this problem!? wasn't this fixed with 'subforms'?
- --
Sebastian Mendel
www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFER1Y/X/0lClpZDr4RAtKFAJ9jHarPvUExqY2VfqSoEV1Ru8+tKwCePPmC
ODIEOBFt9OiQIZum8Nh0Aio=
=MGl4
-----END PGP SIGNATURE-----
6:44 a.m.
New subject: [Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
On Thu, 20 Apr 2006 11:23:34 +0200 (CEST)
"Garvin Hicking" <phpmyadmin(a)supergarv.de> wrote:
Ah, I overread that. Yes, escaping SQL when displaying
it would be wise.
This is already done and works fine.
--
Michal Čihař | http://cihar.com
6729
days inactive
6729
days old
3 comments
3 participants
participants (3)
-
Garvin Hicking -
Michal Čihař -
Sebastian Mendel