[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution

Sebastian Mendel lists at sebastianmendel.de
Thu Apr 20 01:31:10 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Garvin Hicking schrieb:
> Hi!
> 
>>> i don't know ... if this is really a security problem we should consider give
>>> our forms a token - and proceed only with valid token
>> IMHO SQL should be escaped (and I wonder it is not).
> 
> Actually that's not a solution to the problem. PMA needs to be fed SQL commands,
> and we need to accept the via POST.

yes, but we should escape it before displaying in browser


> The only way to not allow XSRF/CSRF is to put tokens into the form. BUT putting
> token into the form means to things:
> 
> 1. We need to utilize sessions. Only via sessions, form tokens could be easily
> implemented, because a server-token needs to be compared with a client-token.

sessions already utilized


> 2. Implementing the tokens might be needed on virtually every <form> PMA has.
> That'a a buttload full of work to do. ;)

this can easily be implemented via PMA_generate_common_hidden_inputs();

also this token needs to be sent with get-requests/links


- --
Sebastian Mendel

www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFER0dNX/0lClpZDr4RAmOiAJoD8jw4y+7/2/ieyeBkkx++iEB+NACfQxUL
JN5eU9DXDHT79piRTZxem4c=
=qRtC
-----END PGP SIGNATURE-----




More information about the Developers mailing list