InformAction Forums

Posted: **Mon Nov 02, 2015 7:46 pm**

Hey all,

There's a database I work with every day and today I got an XSS error from "chrome" while refreshing a page in phpMyAdmin. I usually hit the page embedded Refresh button, but this time I hit F5 and the NoScript error popped up and it redirected me a sanitized version of the page, so I thought I'd ask about it on the forums. Here's the error:

Code: Select all

NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome].  Technical details have been logged to the Console.

And here's the two relevant lines from the Console:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///mysql-admin-db-7/import.php?db=main&table=files&sql_query=SELECT+*++FROM+`files`+WHERE+`filename`+LIKE+'%keyword%'+ORDER+BY+`filename`+ASC&show_query=1&token=1234567890
(function anonymous() {
+WHERE+`filename`+LIKE+'%keyword%'+ORDER+BY+`filename`+ASC /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.website.com/mysql-admin-db-7/import.php?db=main&table=files&sql_query=SELECT+%2A++FROM+%60files%60+WHERE+%60filename%60+LIKE+%27%25keyword%25%27+ORDER+BY+%60filename%60+ASC&show_query=1&token=1234567890] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [https://www.website.com/#000098765432100].

It's not a big deal since I never usually hit F5 to refresh, but when I did I lost my place in the database and I was unable to hit the Back button without getting auto-sanitized every time. Also, it doesn't error me when navigating the database normally, only when doing a full reload.

Firefox 41.0.2
NoScript 2.6.9.39
Windows 7 Professional

Posted: **Mon Nov 02, 2015 10:29 pm**

Can you add this XSS exception and see if it works?
NoScript Options > Advanced > XSS, add

Code: Select all

^@chrome://browser/content/browser.xul$

Posted: **Mon Nov 02, 2015 10:52 pm**

This won't fix your current problem, but since phpMyAdmin has had a number of reported XSS vulnerabilities before, you might want to protect the whole site with ABE:

Code: Select all

Site .www.website.com
Accept from SELF
Deny

Posted: **Mon Nov 02, 2015 10:57 pm**

barbaz wrote:Can you add this XSS exception and see if it works?
NoScript Options > Advanced > XSS, add
Code: Select all
^@chrome://browser/content/browser.xul$

Yep, that seems to have fixed it. I was able to reproduce it reliably before, but now it's not happening.

Thrawn wrote:This won't fix your current problem, but since phpMyAdmin has had a number of reported XSS vulnerabilities before, you might want to protect the whole site with ABE:
Code: Select all
Site .www.website.com
Accept from SELF
Deny

I went ahead and added this as well, so hopefully that helps minimize any future problems.

Thanks for the help guys!

Posted: **Mon Nov 02, 2015 11:28 pm**

@ALbino: You're welcome

@Thrawn: Just curious, why is SELF needed here, why is SELF+ suboptimal (or a bad idea)?

Posted: **Tue Nov 03, 2015 4:58 am**

ALbino wrote:hopefully that helps minimize any future problems.

Oh, it won't fix problems with the site breaking. However, it should protect the site from actually being exploited.

barbaz wrote:Just curious, why is SELF needed here, why is SELF+ suboptimal (or a bad idea)?

I figured it's best to forbid cross-protocol requests. Unless the site uses HSTS, it might be possible for an attacker (particularly on the same network) to trigger a HTTP request, intercept it, and use that to attack the HTTPS version.

InformAction Forums

XSS and phpMyAdmin on Firefox

XSS and phpMyAdmin on Firefox

Re: XSS and phpMyAdmin on Firefox

Re: XSS and phpMyAdmin on Firefox

Re: XSS and phpMyAdmin on Firefox

Re: XSS and phpMyAdmin on Firefox

Re: XSS and phpMyAdmin on Firefox