The branch, MAINT_3_3_10 has been updated via 6cb0ad8a0de2890ef9cf895804455d1d6206df72 (commit) via 2254a70fad144a2b6b3820c325be7304765e41d7 (commit) via 8ac8328229ae7493d6060b6272578d85879c698d (commit) via 630b8260be45eb9b211f5d7628dbb9e5c1b05bc6 (commit) via f6f6ee3f1171addb166fa18e75a0b56599bf374c (commit) from ab31a2565f494c69e6b0d9a82a2932c7656592b5 (commit) - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: ChangeLog | 4 ++++ libraries/auth/swekey/swekey.auth.lib.php | 12 +++++++----- tbl_printview.php | 4 ++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3816fdc..54ef4ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/C... $ +3.3.10.3 (2011-07-23) +- [security] Fixed XSS vulnerability, see PMASA-2011-9 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 + 3.3.10.2 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index 2a790c4..197de1c 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -143,7 +143,9 @@ function Swekey_auth_error() return "Internal Error: CA File $caFile not found"; $result = null; - parse_str($_SERVER['QUERY_STRING']); + $swekey_id = $_GET['swekey_id']; + $swekey_otp = $_GET['swekey_otp']; + if (isset($swekey_id)) { unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { @@ -166,7 +168,7 @@ function Swekey_auth_error() $result = $GLOBALS['strSwekeyNoKey']; if ($_SESSION['SWEKEY']['CONF_DEBUG']) { - $result .= "<br>".$swekey_id; + $result .= "<br>" . htmlspecialchars($swekey_id); } unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file } @@ -186,16 +188,16 @@ function Swekey_auth_error() <script> if (key.length != 32) { - window.location.search="?swekey_id=" + key; + window.location.search="?swekey_id=" + key + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; } else { var url = "" + window.location; if (url.indexOf("?") > 0) url = url.substr(0, url.indexOf("?")); - Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>"); + Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>&token=<?php echo $_SESSION[' PMA_token ']; ?>"); var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>); - window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp; + window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; } </script> <?php diff --git a/tbl_printview.php b/tbl_printview.php index c5b17ab..2b38e24 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -72,7 +72,7 @@ if ($multi_tables) { $tbl_list .= (empty($tbl_list) ? '' : ', ') . PMA_backquote($table); } - echo '<strong>'. $strShowTables . ': ' . $tbl_list . '</strong>' . "\n"; + echo '<strong>'. $strShowTables . ': ' . htmlspecialchars($tbl_list) . '</strong>' . "\n"; echo '<hr />' . "\n"; } // end if @@ -87,7 +87,7 @@ foreach ($the_tables as $key => $table) { } $counter++; echo '<div' . $breakstyle . '>' . "\n"; - echo '<h1>' . $table . '</h1>' . "\n"; + echo '<h1>' . htmlspecialchars($table) . '</h1>' . "\n"; /** * Gets table informations hooks/post-receive -- phpMyAdmin