Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Antoine Beaupré <anarcat@orangeseeds.org> writes:
>> +--- a/url.php
>> ++++ b/url.php
>> ++ // JavaScript redirection is necessary. Because if header() is used
>> ++ // then web browser sometimes does not change the HTTP_REFERER
>> ++ // field and so with old URL as Referer, token also goes to
>> ++ // external site.
>
> I haven't reviewed the whole code - but this actually works? Doesn't
> this assume the token isn't passed to the url.php file?
I am still a bit unclear in the CVE-2016-4412 / PMASA-2016-57
vulnerability. Ok, so lets say the vulnerability is in the HTTP_REFERER
having the token. In which case, if this JavaScript redirection
successfully hides the HTTP_REFERER header, there is no need for a
whitelist.
I am guessing the JavaScript isn't reliable. Or doesn't work on alll
browsers. I will conduct some more tests.
--
Brian May <bam@debian.org>
Reply to: