Re: pgAdmin4 1.0-beta3 - XSS in sidebar

Поиск
Список
Период
Сортировка
От Ashesh Vashi
Тема Re: pgAdmin4 1.0-beta3 - XSS in sidebar
Дата
Msg-id CAG7mmozE7L9OND0N_29wv=Yyg0gvVTf6jpXQP_9ZEoYaMZH2rw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: pgAdmin4 1.0-beta3 - XSS in sidebar  (Dave Page <dpage@pgadmin.org>)
Список pgadmin-support
Дерево обсуждения
Sure.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company


http://www.linkedin.com/in/asheshvashi


On Thu, Aug 4, 2016 at 11:45 PM, Dave Page <dpage@pgadmin.org> wrote:
Please ask Khushboo (or Murtuza?) to work on this ASAP, and check for other similar cases.

I want it resolved on top priority.

Thanks.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 4 Aug 2016, at 19:09, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

Thanks for the report.
I will create a case for the same in redmine.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company


http://www.linkedin.com/in/asheshvashi


On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:
Hi,

I have created table:
    CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
        id serial
    );

In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.

XSS works when i put malicious code into index name or column name:
    CREATE TABLE a (id serial);
    CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);

    CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);


During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.


All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.

Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit


Regards,
Krzysztof Otręba


--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support



В списке pgadmin-support по дате отправления: