Hello! I have tested the fixes in a virtual machine and here are the
results.
Current version in Impish does not work at all and
1.9.8.2-1ubuntu0.21.10.1 version fixes the problems and is not
vulnerable to the XSS in the newRows parameter. 👍
Current version for Focal is vulnerable and 1.9.8.2-1ubuntu0.20.04.1
fixes the issue. 👍
Although, version in Bionic 1.9.7.1-1ubuntu0.1 has the XSS flaw though
the POST parameter 'num', it is hardly exploitable because of CSRF
protection. An attacker needs to know somehow a token before he could
inject malicious code. In fact, I found other problem with the current
version, the file /etc/apache/conf-available/phpliteadmin.conf contains
"Depends: php7.0" magic comment that is blocking it from automatic
activation by the postinst script. It would be great to replace digit
7.0 with 7.2. Since the original issue is mitigated, let me propose one
more one-liner fix. 🤔
Hello! I have tested the fixes in a virtual machine and here are the
results.
Current version in Impish does not work at all and 1ubuntu0. 21.10.1 version fixes the problems and is not
1.9.8.2-
vulnerable to the XSS in the newRows parameter. 👍
Current version for Focal is vulnerable and 1.9.8.2- 1ubuntu0. 20.04.1
fixes the issue. 👍
Although, version in Bionic 1.9.7.1-1ubuntu0.1 has the XSS flaw though conf-available/ phpliteadmin. conf contains
the POST parameter 'num', it is hardly exploitable because of CSRF
protection. An attacker needs to know somehow a token before he could
inject malicious code. In fact, I found other problem with the current
version, the file /etc/apache/
"Depends: php7.0" magic comment that is blocking it from automatic
activation by the postinst script. It would be great to replace digit
7.0 with 7.2. Since the original issue is mitigated, let me propose one
more one-liner fix. 🤔