Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16291
HistoryMar 09, 2007 - 12:00 a.m.

xss in phpmyadmin >=2.8.0 and < 2.10.0

2007-03-0900:00:00
vulners.com
12
JSON

This xss (with xsrf possibility) works only when logged in, but since in many places anonymous logins are allowed and many webhost companies offer just 1 or few phpmyadmins for a large number of users, i consider it worth to be published.

Theoretically it is possible to obtain and use the cookie and token variables (which are necessary to get this XSS working) but i haven't made a working poc atm, but i'm sure others will have the capability to do so.

The problem is bad filtering of $db and $table where they only check for (lowercase) </script>-tag and not for the (uppercase)</SCRIPT>-tag to break out of the javascript.

More details can be found in an advisory found here:
http://www.virtuax.be/advisories/Advisory2-24012007.txt

possible attack strings could look like:
http://phpmyadmin.example.com/index.php?token=$token&amp;db/table=&#39;;[XSS]
http://phpmyadmin.example.com/index.php?token=$token&amp;db/table=&lt;/SCRIPT&gt;&lt;/head&gt;&lt;body&gt;[HTML]

in each case if you're running phpmyadmin <= 2.9 it's wise to update, stefan esser has even used phpmyadmin as an example in one of the bugs he found and reported in (his) mopb over a week ago(
http://www.php-security.org/MOPB/MOPB-02-2007.html and http://www.phpmyadmin.net/&#41;

JSON