XSS and phpMyAdmin on Firefox

[ALbino]

Hey all,

There's a database I work with every day and today I got an XSS error from "chrome" while refreshing a page in phpMyAdmin. I usually hit the page embedded Refresh button, but this time I hit F5 and the NoScript error popped up and it redirected me a sanitized version of the page, so I thought I'd ask about it on the forums. Here's the error:

Code: Select all

NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome].  Technical details have been logged to the Console.

And here's the two relevant lines from the Console:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///mysql-admin-db-7/import.php?db=main&table=files&sql_query=SELECT+*++FROM+`files`+WHERE+`filename`+LIKE+'%keyword%'+ORDER+BY+`filename`+ASC&show_query=1&token=1234567890
(function anonymous() {
+WHERE+`filename`+LIKE+'%keyword%'+ORDER+BY+`filename`+ASC /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.website.com/mysql-admin-db-7/import.php?db=main&table=files&sql_query=SELECT+%2A++FROM+%60files%60+WHERE+%60filename%60+LIKE+%27%25keyword%25%27+ORDER+BY+%60filename%60+ASC&show_query=1&token=1234567890] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [https://www.website.com/#000098765432100].

It's not a big deal since I never usually hit F5 to refresh, but when I did I lost my place in the database and I was unable to hit the Back button without getting auto-sanitized every time. Also, it doesn't error me when navigating the database normally, only when doing a full reload.

Firefox 41.0.2
NoScript 2.6.9.39
Windows 7 Professional

[barbaz]

Can you add this XSS exception and see if it works?
NoScript Options > Advanced > XSS, add

Code: Select all

^@chrome://browser/content/browser.xul$

[Thrawn]

This won't fix your current problem, but since phpMyAdmin has had a number of reported XSS vulnerabilities before, you might want to protect the whole site with ABE:

Code: Select all

Site .www.website.com
Accept from SELF
Deny

[ALbino]

Can you add this XSS exception and see if it works?
NoScript Options > Advanced > XSS, add

Code: Select all

^@chrome://browser/content/browser.xul$

Yep, that seems to have fixed it. I was able to reproduce it reliably before, but now it's not happening.

This won't fix your current problem, but since phpMyAdmin has had a number of reported XSS vulnerabilities before, you might want to protect the whole site with ABE:

Code: Select all

Site .www.website.com
Accept from SELF
Deny

I went ahead and added this as well, so hopefully that helps minimize any future problems.

Thanks for the help guys!

[barbaz]

@ALbino: You're welcome

@Thrawn: Just curious, why is SELF needed here, why is SELF+ suboptimal (or a bad idea)?

[Thrawn]

hopefully that helps minimize any future problems.

Oh, it won't fix problems with the site breaking. However, it should protect the site from actually being exploited.

Just curious, why is SELF needed here, why is SELF+ suboptimal (or a bad idea)?

I figured it's best to forbid cross-protocol requests. Unless the site uses HSTS, it might be possible for an attacker (particularly on the same network) to trigger a HTTP request, intercept it, and use that to attack the HTTPS version.