On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:
Hi,
I have created table: CREATE TABLE "<h1 onmouseover='alert(1);'>x" ( id serial );
In sidebar I expanded "Tables" and i moved my mouse to table "X". In that case I received javascript alert.
XSS works when i put malicious code into index name or column name: CREATE TABLE a (id serial); CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
During removal index or table still see JavaScript alert. And last one, in "Properties" tab.
All chars like <, >, ", '. should be filtered in names of tables, columns, indexes.
Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4), 64-bit