From: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
---|---|
To: | Krzysztof O <krzotr(at)gmail(dot)com> |
Cc: | pgadmin-support <pgadmin-support(at)postgresql(dot)org> |
Subject: | Re: pgAdmin4 1.0-beta3 - XSS in sidebar |
Date: | 2016-08-04 18:09:19 |
Message-ID: | CAG7mmoy15-DwXWcT1h7-vywTYKeaiQaYRXJDG2q+3JH1dmXESg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
Thanks for the report.
I will create a case for the same in redmine <http://redmine.postgresql.org>
.
--
Thanks & Regards,
Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>
*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>
On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr(at)gmail(dot)com> wrote:
> Hi,
>
> I have created table:
> CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
> id serial
> );
>
> In sidebar I expanded "Tables" and i moved my mouse to table "X". In
> that case I received javascript alert.
>
> XSS works when i put malicious code into index name or column name:
> CREATE TABLE a (id serial);
> CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
>
> CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
>
>
> During removal index or table still see JavaScript alert. And last
> one, in "Properties" tab.
>
>
> All chars like <, >, ", '. should be filtered in names of tables,
> columns, indexes.
>
> Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
> on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
> 4.8.5-4), 64-bit
>
>
> Regards,
> Krzysztof Otręba
>
>
> --
> Sent via pgadmin-support mailing list (pgadmin-support(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgadmin-support
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2016-08-04 18:15:17 | Re: pgAdmin4 1.0-beta3 - XSS in sidebar |
Previous Message | Krzysztof O | 2016-08-04 18:05:00 | pgAdmin4 1.0-beta3 - XSS in sidebar |