| From: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
|---|---|
| To: | Dave Page <dpage(at)pgadmin(dot)org> |
| Cc: | Krzysztof O <krzotr(at)gmail(dot)com>, pgadmin-support <pgadmin-support(at)postgresql(dot)org> |
| Subject: | Re: pgAdmin4 1.0-beta3 - XSS in sidebar |
| Date: | 2016-08-04 18:16:05 |
| Message-ID: | CAG7mmozE7L9OND0N_29wv=Yyg0gvVTf6jpXQP_9ZEoYaMZH2rw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Sure.
--
Thanks & Regards,
Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>
*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>
On Thu, Aug 4, 2016 at 11:45 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Please ask Khushboo (or Murtuza?) to work on this ASAP, and check for
> other similar cases.
>
> I want it resolved on top priority.
>
> Thanks.
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK:http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
> On 4 Aug 2016, at 19:09, Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
> wrote:
>
> Thanks for the report.
> I will create a case for the same in redmine
> <http://redmine.postgresql.org>.
>
> --
>
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> <http://www.enterprisedb.com>
>
>
> *http://www.linkedin.com/in/asheshvashi*
> <http://www.linkedin.com/in/asheshvashi>
>
> On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr(at)gmail(dot)com> wrote:
>
>> Hi,
>>
>> I have created table:
>> CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
>> id serial
>> );
>>
>> In sidebar I expanded "Tables" and i moved my mouse to table "X". In
>> that case I received javascript alert.
>>
>> XSS works when i put malicious code into index name or column name:
>> CREATE TABLE a (id serial);
>> CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
>>
>> CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
>>
>>
>> During removal index or table still see JavaScript alert. And last
>> one, in "Properties" tab.
>>
>>
>> All chars like <, >, ", '. should be filtered in names of tables,
>> columns, indexes.
>>
>> Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
>> on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
>> 4.8.5-4), 64-bit
>>
>>
>> Regards,
>> Krzysztof Otręba
>>
>>
>> --
>> Sent via pgadmin-support mailing list (pgadmin-support(at)postgresql(dot)org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgadmin-support
>>
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Krzysztof O | 2016-08-04 19:12:20 | pgAdmin4 1.0-beta3 - Cannot set "Primary key / Not NULL" on column in "The Table Dialog" |
| Previous Message | Dave Page | 2016-08-04 18:15:17 | Re: pgAdmin4 1.0-beta3 - XSS in sidebar |