[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66

Antoine Beaupré <anarcat@orangeseeds.org> writes:

>> +--- a/url.php
>> ++++ b/url.php
>> ++    // JavaScript redirection is necessary. Because if header() is used
>> ++    //  then web browser sometimes does not change the HTTP_REFERER
>> ++    //  field and so with old URL as Referer, token also goes to
>> ++    //  external site.
>
> I haven't reviewed the whole code - but this actually works? Doesn't
> this assume the token isn't passed to the url.php file?

I am still a bit unclear in the CVE-2016-4412 / PMASA-2016-57
vulnerability. Ok, so lets say the vulnerability is in the HTTP_REFERER
having the token. In which case, if this JavaScript redirection
successfully hides the HTTP_REFERER header, there is no need for a
whitelist.

I am guessing the JavaScript isn't reliable. Or doesn't work on alll
browsers. I will conduct some more tests.
-- 
Brian May <bam@debian.org>
Reply to: