[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution

Sebastian Mendel lists at sebastianmendel.de
Thu Apr 20 01:31:10 CEST 2006

Hash: SHA1

Garvin Hicking schrieb:
> Hi!
>>> i don't know ... if this is really a security problem we should consider give
>>> our forms a token - and proceed only with valid token
>> IMHO SQL should be escaped (and I wonder it is not).
> Actually that's not a solution to the problem. PMA needs to be fed SQL commands,
> and we need to accept the via POST.

yes, but we should escape it before displaying in browser

> The only way to not allow XSRF/CSRF is to put tokens into the form. BUT putting
> token into the form means to things:
> 1. We need to utilize sessions. Only via sessions, form tokens could be easily
> implemented, because a server-token needs to be compared with a client-token.

sessions already utilized

> 2. Implementing the tokens might be needed on virtually every <form> PMA has.
> That'a a buttload full of work to do. ;)

this can easily be implemented via PMA_generate_common_hidden_inputs();

also this token needs to be sent with get-requests/links

- --
Sebastian Mendel

Version: GnuPG v1.4.3 (MingW32)


More information about the Developers mailing list