Vigil@nce: phpMyAdmin, Cross-Site framing and XSS
July 2008 by Vigil@nce
SYNTHESIS
An attacker can display phpMyAdmin frame inside another page, and
can generate a Cross Site Scripting in setup.php in order to run
operations in the context on the connected victim.
Gravity: 1/4
Consequences: user access/rights
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 29/07/2008
Identifier: VIGILANCE-VUL-7976
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The phpMyAdmin program is used to administer a MySQL database. It
contains two vulnerabilities.
PhpMyAdmin protects itself from cross-site framing just in the
index.php webpage.
An attacker can therefore display PhpMyAdmin frames from an other
page and thus deceive victim. [grav:1/4]
An attacker can use XSS in the script setup.php, and then modify
the config/config.inc.php generated file to obtain rights of the
connected user. [grav:1/4]
CHARACTERISTICS
Identifiers: PMASA-2008-6, VIGILANCE-VUL-7976