[Phpmyadmin-devel] querywindow

Sebastian Mendel lists at sebastianmendel.de
Fri Sep 23 13:20:02 CEST 2005

Marc Delisle wrote:
> Sebastian Mendel a écrit :
>> Hi,
>> as i try to merge all the sql query box and window stuff in some 
>> functions i came across that script-noscript constructs for the form-tag
>> are there any known problems with
>> onsubmit="this.target=window.opener.parent.frames[2].name;"
>> ?
> I am not familiar with this, but for example in browse_foreigners.php, 
> there is some code that checks opener:
> if (opener && opener.document && opener.document.insertForm) {
> so maybe opener is not always available. So maybe it would be safer to 
> call a js function that makes some checks before referencing to 
> window.opener.something.

yes, of course, its only available if this windows was opened by another
window and you need to check if this opener window is still open

but if this works, we can get rid of all this javascript stuff just only
added to prevent window spoofing


or is there something i missed?

btw. at the moment any other page can also access the hash inside the
queryframe window, as phpmain is scured through this hashed name, but
the used hash can be accessed directly by the window name of the
queryframe window

so phpMyAdmin is vulnerable to window spoofing at the moment!


only the popup window needs a secured name (with hash), all other
windows/frames can be accessed by opener or parent, what is not
available to an attacker

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list