Computer Security

Security Advisory: phpMyAdmin multiple XSS vuln.
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  CA.View/view-law.
asp/view-info.asp sql injection

  Education_info/edu_vi
ew.asp sql injection

  Shoutbox 1.0 Remote Command Execution Vulnerability

  Coppermine Photo Gallery (yabbse.inc.
php) Remote File Inclusion Vulnerability

From:r0t <krustevs_(at)_googlemail.com>
Date:10.08.2007
Subject:phpMyAdmin multiple XSS vuln.

phpMyAdmin multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 August 2007
vendor:http://www.phpmyadmin.net/
orginal advisory:
http://pridels-team.blogspot.com/2007/08/phpmyadmin-multiple-xss-vuln.html
affected versions:2.10.3 (latest stable version)
prior versions also can be affected.
###############################################


phpMyAdmin contains multiple flaws that allows a remote Cross-Site Scripting
attacks.Input passed to the "unlim_num_rows","sql_query","pos" parameter in
"tbl_export.php"
and "session_max_rows","pos" parameter in "sql.php"  and "username"
parameter in "server_privileges.php" and "sql_query" parameter in "main.php"
isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod
 


Rating@Mail.ru