diff options
| author | Ömer Çıtak | 2016-09-02 10:26:37 +0000 |
|---|---|---|
| committer | Robert Treat | 2019-07-20 23:20:57 +0000 |
| commit | 93765ac2cbfe665d113e8cab980adb86bda62393 (patch) | |
| tree | 466e76387a7eaa95fa744849409ffbe39509a089 | |
| parent | 208eff3c2840886e9a0d8e76a1f31a9e5646449f (diff) | |
fixed Reflected XSS vulnerability
"table" and "schema" parameters is vulnerable.
PoC;
payload: </textarea><img src=x onerror=alert('xss_by_@om3rcitak')>
http://localhost/phppgadmin/display.php?subject=table&return=table&table=users&server=localhost:5432:allow&database=omer&schema=</textarea><img src=x onerror=alert('xss_by_@om3rcitak')>
OR
http://localhost/phppgadmin/display.php?subject=table&return=table&table=</textarea><img src=x onerror=alert('xss_by_@om3rcitak')>&server=localhost:5432:allow&database=omer&schema=public
| -rw-r--r-- | display.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/display.php b/display.php index f87a2153..588b3100 100644 --- a/display.php +++ b/display.php @@ -537,7 +537,7 @@ } } //$query = isset($_REQUEST['query'])? $_REQUEST['query'] : "select * from {$_REQUEST['schema']}.{$_REQUEST['table']};"; - echo $query; + echo htmlspecialchars($query); echo '</textarea><br><input type="submit"/></form>'; if (is_object($rs) && $rs->recordCount() > 0) { |