Fix stored XSS in navigation panel logo link, see PMASA-2013-9

phpmyadmin · Jul 8, 2013 · 7c58ed0 · 7c58ed0
1 parent 6f003b0
commit 7c58ed0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -5,6 +5,7 @@ phpMyAdmin - ChangeLog
 - [security] Fix self-XSS in "Showing rows", see PMASA-2013-8
 - [security] Fix self-XSS in Display chart, see PMASA-2013-9
 - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+- [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
 
 3.5.8.1 (2013-04-24)
 - [security] Remote code execution (preg_replace), reported by Janek Vind

diff --git a/libraries/navigation_header.inc.php b/libraries/navigation_header.inc.php
@@ -31,7 +31,14 @@
 
     echo '<div id="pmalogo">' . "\n";
     if ($GLOBALS['cfg']['LeftLogoLink']) {
-        echo '<a href="' . htmlspecialchars($GLOBALS['cfg']['LeftLogoLink']);
+        $logo_link = trim(htmlspecialchars($GLOBALS['cfg']['LeftLogoLink']));
+        // prevent XSS, see PMASA-2013-9
+        // if link has protocol, allow only http and https
+        if (preg_match('/^[a-z]+:/i', $logo_link)
+            && ! preg_match('/^https?:/i', $logo_link)) {
+            $logo_link = 'main.php';
+        }
+        echo '<a href="' . $logo_link;
         switch ($GLOBALS['cfg']['LeftLogoLinkWindow']) {
             case 'new':
                 echo '" target="_blank"';