[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garvin Hicking schrieb:
Hi!
i don't know ... if this is really a security problem we should consider give our forms a token - and proceed only with valid token IMHO SQL should be escaped (and I wonder it is not).
Actually that's not a solution to the problem. PMA needs to be fed SQL commands, and we need to accept the via POST.
yes, but we should escape it before displaying in browser
The only way to not allow XSRF/CSRF is to put tokens into the form. BUT putting token into the form means to things:
1. We need to utilize sessions. Only via sessions, form tokens could be easily implemented, because a server-token needs to be compared with a client-token.
sessions already utilized
2. Implementing the tokens might be needed on virtually every <form> PMA has. That'a a buttload full of work to do. ;)
this can easily be implemented via PMA_generate_common_hidden_inputs(); also this token needs to be sent with get-requests/links - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFER0dNX/0lClpZDr4RAmOiAJoD8jw4y+7/2/ieyeBkkx++iEB+NACfQxUL JN5eU9DXDHT79piRTZxem4c= =qRtC -----END PGP SIGNATURE-----
Hi!
Actually that's not a solution to the problem. PMA needs to be fed SQL commands, and we need to accept the via POST.
yes, but we should escape it before displaying in browser
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
1. We need to utilize sessions. Only via sessions, form tokens could be easily implemented, because a server-token needs to be compared with a client-token.
sessions already utilized
Seems I missed that, too. Since when does PMA use sessions, and what are they currently used for? Did I also miss session saving of large SQL queries when browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded problems? Best regards, Garvin -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.in
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garvin Hicking schrieb:
Hi!
Actually that's not a solution to the problem. PMA needs to be fed SQL commands, and we need to accept the via POST. yes, but we should escape it before displaying in browser
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
1. We need to utilize sessions. Only via sessions, form tokens could be easily implemented, because a server-token needs to be compared with a client-token. sessions already utilized
Seems I missed that, too. Since when does PMA use sessions, and what are they
2.8
currently used for? Did I also miss session saving of large SQL queries when
no, this is not done at the moment only request independent data is saved in session, data that does not change if someone uses multiple windows with phpMyAdmin, this is currently only configuration and themes
browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded problems?
i do not know this problem!? wasn't this fixed with 'subforms'? - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFER1Y/X/0lClpZDr4RAtKFAJ9jHarPvUExqY2VfqSoEV1Ru8+tKwCePPmC ODIEOBFt9OiQIZum8Nh0Aio= =MGl4 -----END PGP SIGNATURE-----
On Thu, 20 Apr 2006 11:23:34 +0200 (CEST) "Garvin Hicking" <phpmyadmin@supergarv.de> wrote:
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
This is already done and works fine. -- Michal Čihař | http://cihar.com
participants (3)
-
Garvin Hicking -
Michal Čihař -
Sebastian Mendel