pgAdmin4 1.0-beta3 - XSS in sidebar

From: Krzysztof O <krzotr(at)gmail(dot)com>
To: pgadmin-support(at)postgresql(dot)org
Subject: pgAdmin4 1.0-beta3 - XSS in sidebar
Date: 2016-08-04 18:05:00
Message-ID: CACC7Kc3zfZ_WigCfULeQ99-XpqYq2q53W6PZ2JtXACGCoybZyQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-support

Hi,

I have created table:
CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
id serial
);

In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.

XSS works when i put malicious code into index name or column name:
CREATE TABLE a (id serial);
CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);

CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);

During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.

All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.

Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit

Regards,
Krzysztof Otręba

Attachment Content-Type Size
image/png 41.8 KB
image/png 37.5 KB
image/png 43.5 KB

Responses

Browse pgadmin-support by date

  From Date Subject
Next Message Ashesh Vashi 2016-08-04 18:09:19 Re: pgAdmin4 1.0-beta3 - XSS in sidebar
Previous Message Mahesh Balumuri 2016-08-03 12:08:57 Error while running with apache wsgi