mattyhead / sql-buddy

Automatically exported from code.google.com/p/sql-buddy
MIT License
0 stars 0 forks source link

Sending SQL from javascript to PHP scripts can be a security risk #12

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
ajaxquery.php (and some other PHP scripts) will execute the SQL found in a
posted field named "query". This is in general a bad practice and can
sometimes lead to big problems. However I don't think it poses a great risk
for the time being.

Scenario:

1) Imagine SQL Buddy has an unknown XSS vulnerability. E.g. when displaying
row data in the "Full text" popup (ajaxfulltext.php) maybe htmlentities()
wasn't used. Such a bug could be introduced in the future if we do more
advanced things in the popup window e.g. converting urls to links etc.

2) This would allow an end user of an application managed by SQL Buddy, to
embed and execute javascript in the SQL Buddy environment. This is bad by
itself but it can be catastrophic if the XSS javascript manages to execute
SQL on the server.

Solutions:

- Be very careful in order to prevent XSS vulnerabilities
- Steps could be taken to ensure that the SQL is indeed coming from SQL
Buddy and not from rogue javascript. Maybe using a hash of the logged in
username+password could differentiate valid SQL Buddy javascript from XSS
javascript.

Original issue reported on code.google.com by dare...@gmail.com on 31 Aug 2008 at 11:14

GoogleCodeExporter commented 9 years ago
"Steps could be taken to ensure that the SQL is indeed coming from SQL
Buddy and not from rogue javascript. Maybe using a hash of the logged in
username+password could differentiate valid SQL Buddy javascript from XSS
javascript."

This is already implemented. Look at this code in functions.php:

$requestKey = substr(sha1(session_id() . $_SERVER["DOCUMENT_ROOT"]), 0, 16);

This request key is sent to the browser as a javascript variable. Every Ajax 
call must pass along the request key as a parameter or it 
will not be executed. If the request key doesn't match, the request is 
immediately killed. No further code will get executed. 
Technically an attack is possible, but it would have to read the request key 
from the javascript variable and provide it along with the 
request to ajaxquery.php.

Another thing that makes ajax slightly more secure is that only $_POST is used 
to receive queries from javascript. This would make 
XSS attacks slightly more difficult.

Original comment by calvinlo...@gmail.com on 31 Aug 2008 at 7:26

GoogleCodeExporter commented 9 years ago
OK, lets hope these are enough! Although a really determined person could 
overcome
all these obstacles (always true after all)

Original comment by dare...@gmail.com on 31 Aug 2008 at 8:41