phpMyAdmin -- Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack

ID EF417DA3-1640-11E2-999B-E0CB4E266481
Type freebsd
Reporter FreeBSD
Modified 2012-10-08T00:00:00


The phpMyAdmin development team reports:

When creating/modifying a trigger, event or procedure with a crafted name, it is possible to trigger an XSS.

To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.