[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
lists at sebastianmendel.de
Thu Apr 20 01:31:10 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Garvin Hicking schrieb:
>>> i don't know ... if this is really a security problem we should consider give
>>> our forms a token - and proceed only with valid token
>> IMHO SQL should be escaped (and I wonder it is not).
> Actually that's not a solution to the problem. PMA needs to be fed SQL commands,
> and we need to accept the via POST.
yes, but we should escape it before displaying in browser
> The only way to not allow XSRF/CSRF is to put tokens into the form. BUT putting
> token into the form means to things:
> 1. We need to utilize sessions. Only via sessions, form tokens could be easily
> implemented, because a server-token needs to be compared with a client-token.
sessions already utilized
> 2. Implementing the tokens might be needed on virtually every <form> PMA has.
> That'a a buttload full of work to do. ;)
this can easily be implemented via PMA_generate_common_hidden_inputs();
also this token needs to be sent with get-requests/links
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
-----END PGP SIGNATURE-----
More information about the Developers