XSS Vulnerability

Question

XSS Vulnerability

prodigysml opened this issue 7 years ago · comments

Sajeeb Lohani (sml555 / prodigysml) commented 7 years ago

There are multiple instances of XSS within PHPMiniAdmin. Some of them are stored, which implies that it will persist for all users and social engineering is not required.

The easiest way to patch this is simply use htmlentities every time you echo something.

Oleg Savchuk · Answer 1 · Thu Jun 15 2017 13:16:22 GMT+0800 (China Standard Time)

Could you please describe specific places where "multiple instances of XSS" exists?

I already reviewed and fixed such issues, but I might miss some place.

Sajeeb Lohani (sml555 / prodigysml) · Answer 2 · Thu Jun 15 2017 13:18:04 GMT+0800 (China Standard Time)

If the database name is an XSS payload, it will execute the javascript. I am actually working on a quick patch which I will give to you as a pull request which should fix these issues, if that is okay with you :)

Oleg Savchuk · Answer 3 · Thu Jun 15 2017 13:20:41 GMT+0800 (China Standard Time)

yes, that would be nice, thank you

Sajeeb Lohani (sml555 / prodigysml) · Answer 4 · Thu Jun 15 2017 14:03:59 GMT+0800 (China Standard Time)

I have added in a pull request for this bug. Here is the pull request: #29

Sajeeb Lohani (sml555 / prodigysml) · Answer 5 · Mon Jul 03 2017 20:21:06 GMT+0800 (China Standard Time)

Just a quick reminder about the patch for XSS :)

Oleg Savchuk · Answer 6 · Mon Jul 10 2017 07:37:54 GMT+0800 (China Standard Time)

Thank you for reminder, I reviewed patch and it need some changes. Once done, I'll test it in full.

Oleg Savchuk · Answer 7 · Sun Jul 30 2017 18:57:32 GMT+0800 (China Standard Time)

fixed in 1.9.170730