Hello! I have tested the fixes in a virtual machine and here are the results.
Current version in Impish does not work at all and 1.9.8.2-1ubuntu0.21.10.1 version fixes the problems and is not vulnerable to the XSS in the newRows parameter. 👍 Current version for Focal is vulnerable and 1.9.8.2-1ubuntu0.20.04.1 fixes the issue. 👍 Although, version in Bionic 1.9.7.1-1ubuntu0.1 has the XSS flaw though the POST parameter 'num', it is hardly exploitable because of CSRF protection. An attacker needs to know somehow a token before he could inject malicious code. In fact, I found other problem with the current version, the file /etc/apache/conf-available/phpliteadmin.conf contains "Depends: php7.0" magic comment that is blocking it from automatic activation by the postinst script. It would be great to replace digit 7.0 with 7.2. Since the original issue is mitigated, let me propose one more one-liner fix. 🤔 ** Patch added: "phpliteadmin_1.9.7.1-1ubuntu0.2.debdiff" https://bugs.launchpad.net/bugs/1964710/+attachment/5592042/+files/phpliteadmin_1.9.7.1-1ubuntu0.2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964710 Title: XSS vulnerability in row_create To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/phpliteadmin/+bug/1964710/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
