Vigil@nce - phpMyAdmin: Cross Site Scripting of tbl_gis_visualization
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can trigger a Cross Site Scripting in
tbl_gis_visualization.php of phpMyAdmin, in order to execute
JavaScript code in the context of the web site.
Impacted products: phpMyAdmin
Severity: 1/4
Creation date: 09/04/2013
DESCRIPTION OF THE VULNERABILITY
The tbl_gis_visualization.php page of phpMyAdmin generates a
graphical view.
However, it does not filter its "visualizationSettings[width]" and
"visualizationSettings[height]" parameters before inserting them
in generated HTML documents.
An authenticated attacker can therefore trigger a Cross Site
Scripting in tbl_gis_visualization.php of phpMyAdmin, in order to
execute JavaScript code in the context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-Cross-Site-Scripting-of-tbl-gis-visualization-12618