Postgres Pro
Downloads
Home   >   mailing lists

Re: pgAdmin4 1.0-beta3 - XSS in sidebar - Mailing list pgadmin-support

From Ashesh Vashi
Subject Re: pgAdmin4 1.0-beta3 - XSS in sidebar
Date
Msg-id CAG7mmoy15-DwXWcT1h7-vywTYKeaiQaYRXJDG2q+3JH1dmXESg@mail.gmail.com
Whole thread Raw
In response to pgAdmin4 1.0-beta3 - XSS in sidebar  (Krzysztof O <krzotr@gmail.com>)
Responses Re: pgAdmin4 1.0-beta3 - XSS in sidebar  (Dave Page <dpage@pgadmin.org>)
List pgadmin-support
Tree view
Thanks for the report.
I will create a case for the same in redmine.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company


http://www.linkedin.com/in/asheshvashi


On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:
Hi,

I have created table:
    CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
        id serial
    );

In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.

XSS works when i put malicious code into index name or column name:
    CREATE TABLE a (id serial);
    CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);

    CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);


During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.


All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.

Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit


Regards,
Krzysztof Otręba


--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support


pgadmin-support by date:

Previous
From: Krzysztof O
Date:
Subject: pgAdmin4 1.0-beta3 - XSS in sidebar
Next
From: Dave Page
Date:
Subject: Re: pgAdmin4 1.0-beta3 - XSS in sidebar