Project

General

Profile

Bug #7652

diag_tables.php: 'type' parameter can lead to XSS

Added by Jim Pingle about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
06/16/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Two problems with diag_tables.php that together can lead to XSS via the type (table name) parameter:

  • Lack of input validation allows the 'type' parameter to be submitted with an invalid value (table that does not exist) which is then still used in functions on the page
  • When an invalid table name contains code that could trigger an XSS, it is run when the type parameter is resubmitted via AJAX to load table content.

Example:

/diag_tables.php?type=%27}});});});alert(%27XSS%27);%20console.log(function(){%20console.log(function(){%20console.log({%20c:{%27a%27:%27

Associated revisions

Revision e90eaf31 (diff)
Added by Jim Pingle about 2 years ago

Fix handling of the 'type' parameter so it is validated and encoded on diag_table.php. Fixes #7652

Revision 6c989d4a (diff)
Added by Jim Pingle about 2 years ago

Fix handling of the 'type' parameter so it is validated and encoded on diag_table.php. Fixes #7652

Revision e243e325 (diff)
Added by Jim Pingle about 2 years ago

Fix handling of the 'type' parameter so it is validated and encoded on diag_table.php. Fixes #7652

History

#1 Updated by Jim Pingle about 2 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

Fixed

#3 Updated by Jim Pingle about 2 years ago

  • Private changed from Yes to No

Also available in: Atom PDF