1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
diff -Nur a/Documentation.html b/Documentation.html
--- a/Documentation.html 2006-11-19 01:28:45.000000000 +0100
+++ b/Documentation.html 2008-09-20 14:06:40.000000000 +0200
@@ -556,6 +556,11 @@
If you do not want to use those features set this variable to
<tt>TRUE</tt> to stop this message from appearing.</dd>
+ <dt id="cfg_AllowThirdPartyFraming">$cfg['AllowThirdPartyFraming'] boolean</dt>
+ <dd>Setting this to <tt>true</tt> allows a page located on a different
+ domain to call phpMyAdmin inside a frame, and is a potential security
+ hole allowing cross-frame scripting attacks.</dd>
+
<dt id="cfg_blowfish_secret">$cfg['blowfish_secret'] string</dt>
<dd>The "cookie" auth_type uses blowfish
algorithm to encrypt the password.<br />
diff -Nur a/Documentation.txt b/Documentation.txt
--- a/Documentation.txt 2006-11-19 01:28:45.000000000 +0100
+++ b/Documentation.txt 2008-09-20 14:08:09.000000000 +0200
@@ -398,6 +398,10 @@
will find a link that will analyze why those features have been disabled.
If you do not want to use those features set this variable to TRUE to stop
this message from appearing.
+$cfg['AllowThirdPartyFraming'] boolean
+ Setting this to true allows a page located on a different domain to call
+ phpMyAdmin inside a frame, and is a potential security hole allowing
+ cross-frame scripting attacks.
$cfg['blowfish_secret'] string
The "cookie" auth_type uses blowfish algorithm to encrypt the password.
If you are using the "cookie" auth_type, enter here a random passphrase of
diff -Nur a/libraries/config.default.php b/libraries/config.default.php
--- a/libraries/config.default.php 2006-11-19 01:28:45.000000000 +0100
+++ b/libraries/config.default.php 2008-09-20 14:07:34.000000000 +0200
@@ -37,6 +37,14 @@
$cfg['PmaNoRelation_DisableWarning'] = FALSE;
/**
+ * Allows phpMyAdmin to be included from a document located on
+ * another domain; setting this to true is a potential security hole
+ *
+ * @global boolean $cfg['AllowThirdPartyFraming']
+ */
+$cfg['AllowThirdPartyFraming'] = false;
+
+/**
* The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
* at least one server configuration uses 'cookie' auth_type, enter here a
* passphrase that will be used by blowfish. The maximum length seems to be 46
diff -Nur a/libraries/header.inc.php b/libraries/header.inc.php
--- a/libraries/header.inc.php 2006-11-19 01:28:45.000000000 +0100
+++ b/libraries/header.inc.php 2008-09-20 14:05:19.000000000 +0200
@@ -25,6 +25,27 @@
require_once './libraries/header_http.inc.php';
require_once './libraries/header_meta_style.inc.php';
+ // Cross-framing protection
+ if ( false === $GLOBALS['cfg']['AllowThirdPartyFraming']) {
+ ?>
+ <script type="text/javascript">
+ try {
+ // can't access this if on a different domain
+ var topdomain = top.document.domain;
+ // double-check just for sure
+ if (topdomain != self.document.domain) {
+ alert("Redirecting...");
+ top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+ }
+ }
+ catch(e) {
+ alert("Redirecting... (error: " + e);
+ top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+ }
+
+ </script>
+ <?php
+ }
// generate title
$title = str_replace(
array(
diff -Nur a/scripts/setup.php b/scripts/setup.php
--- a/scripts/setup.php 2008-09-20 13:29:43.000000000 +0200
+++ b/scripts/setup.php 2008-09-20 14:05:19.000000000 +0200
@@ -628,7 +628,7 @@
echo $val[0];
echo '</div>';
echo '<div class="data">';
- echo $val[1];
+ echo htmlspecialchars($val[1]);
echo '</div>';
echo '</div>' . "\n";
}
|
