phpMyAdmin read_dump.php zero_rows Parameter XSS

2004-11-18T00:00:00
ID OSVDB:11931
Type osvdb
Reporter Cedric Cochin(cco@netvigilance.com)
Modified 2004-11-18T00:00:00

Description

Vulnerability Description

phpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'zero_rows' variables upon submission to the 'read_dump.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 2.6.0-pl3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'zero_rows' variables upon submission to the 'read_dump.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/[phpMyAdmin_directory]/read_dump.php?sql_query=set%20@1=1&zero_rows=<script>alert(document.cookie)</script>

References:

Vendor URL: http://www.phpmyadmin.net/ Vendor Specific Advisory URL Security Tracker: 1012281 Secunia Advisory ID:13241 Related OSVDB ID: 11930 Related OSVDB ID: 11932 Other Advisory URL: http://www.netvigilance.com/html/advisory0005.htm Other Advisory URL: http://security.gentoo.org/glsa/glsa-200411-36.xml ISS X-Force ID: 18158 CVE-2004-1055 Bugtraq ID: 11707