Vigil@nce: phpMyAdmin, Cross Site Scripting of setup.php
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use parameters of setup.php script in order to
inject HTML code in phpMyAdmin.
– Severity: 2/4
– Creation date: 23/08/2010
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin program is used to administer a MySQL database.
The setup.php script configures the environment. This script does
not filter parameters its receives. An attacker can therefore use
it to inject arbitrary PHP code in the configuration file.
This vulnerability therefore permits an attacker to conduct a
Cross Site Scripting attack.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-Cross-Site-Scripting-of-setup-php-9872