Vigil@nce: phpMyAdmin, Cross Site Scripting via db
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the database search script, in order to inject
JavaScript code in phpMyAdmin.
– Severity: 2/4
– Creation date: 30/11/2010
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin program is used to administer a MySQL database.
The PMA_linkOrButton() function of the libraries/common.lib.php
file processes links. However, this function does not filter
parameters that are generated.
The database search script uses PMA_linkOrButton() to generate a
confirmation link. This script can thus be used as an attack
vector.
An attacker can therefore use the database search script, in order
to inject JavaScript code in phpMyAdmin.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-Cross-Site-Scripting-via-db-10165