Vigil@nce: phpMyAdmin, Cross Site Scripting of tbl_tracking.php
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a Cross Site Scripting in the table
tracking feature of phpMyAdmin, in order to execute JavaScript
code in the victim’s web browser.
– Severity: 2/4
– Creation date: 25/08/2011
IMPACTED PRODUCTS
– TYPO3
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin program is used to administer a MySQL database.
The tbl_tracking.php script is used to monitor changes on a table.
However, this script does not filter the "date", "username",
"version", etc. parameters before displaying them in the result
HTML page.
An attacker can therefore create a Cross Site Scripting in the
table tracking feature of phpMyAdmin, in order to execute
JavaScript code in the victim’s web browser.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-Cross-Site-Scripting-of-tbl-tracking-php-10952