Vigil@nce: phpMyAdmin, Cross Site Scripting of db_create.php
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use the database creation feature to generate a
Cross Site Scripting in phpMyAdmin.
Severity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 15/03/2010
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin server is used to administer a MySQL database via a
web browser.
The db_create.php script creates a database. The parameter
"new_db" indicates the database name.
However, the "new_db" parameter is not filtered before beeing
displayed on the web page.
An attacker can therefore use the database creation feature to
generate a Cross Site Scripting in phpMyAdmin.
CHARACTERISTICS
Identifiers: BID-38707, VIGILANCE-VUL-9515
http://vigilance.fr/vulnerability/phpMyAdmin-Cross-Site-Scripting-of-db-create-php-9515