Thread: pgAdmin4 1.0-beta3 - XSS in sidebar
Hi, I have created table: CREATE TABLE "<h1 onmouseover='alert(1);'>x" ( id serial ); In sidebar I expanded "Tables" and i moved my mouse to table "X". In that case I received javascript alert. XSS works when i put malicious code into index name or column name: CREATE TABLE a (id serial); CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id); CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial); During removal index or table still see JavaScript alert. And last one, in "Properties" tab. All chars like <, >, ", '. should be filtered in names of tables, columns, indexes. Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4), 64-bit Regards, Krzysztof Otręba
Attachment
Thanks for the report.
I will create a case for the same in redmine.
On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:
Hi,
I have created table:
CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
id serial
);
In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.
XSS works when i put malicious code into index name or column name:
CREATE TABLE a (id serial);
CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.
All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.
Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit
Regards,
Krzysztof Otręba
--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support
Please ask Khushboo (or Murtuza?) to work on this ASAP, and check for other similar cases.
I want it resolved on top priority.
Thanks.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Thanks for the report.I will create a case for the same in redmine.On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:Hi,
I have created table:
CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
id serial
);
In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.
XSS works when i put malicious code into index name or column name:
CREATE TABLE a (id serial);
CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.
All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.
Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit
Regards,
Krzysztof Otręba
--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support
Sure.
On Thu, Aug 4, 2016 at 11:45 PM, Dave Page <dpage@pgadmin.org> wrote:
Please ask Khushboo (or Murtuza?) to work on this ASAP, and check for other similar cases.I want it resolved on top priority.Thanks.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL CompanyThanks for the report.I will create a case for the same in redmine.On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr@gmail.com> wrote:Hi,
I have created table:
CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
id serial
);
In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.
XSS works when i put malicious code into index name or column name:
CREATE TABLE a (id serial);
CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.
All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.
Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit
Regards,
Krzysztof Otręba
--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support