Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpMyAdmin 3.3.5 / 2.11.10 Cross Site Scripting

🗓️ 21 Aug 2010 00:00:00Reported by Aung KhantType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

PHPMyAdmin 3.3.5 / 2.11.10 Cross Site Scripting vulnerability impacting user sessions and SQL injection risk

Code
`==============================================================================  
phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability  
==============================================================================  
  
  
1. OVERVIEW  
  
The phpMyAdmin web application was vulnerable to Cross Site Scripting  
vulnerability.  
  
  
2. PRODUCT DESCRIPTION  
  
phpMyAdmin is a free software tool written in PHP intended to handle  
the administration of MySQL over the World Wide Web.  
phpMyAdmin supports a wide range of operations with MySQL.  
The most frequently used operations are supported by the user  
interface (managing databases, tables, fields, relations,  
indexes, users, permissions, etc), while you still have the ability to  
directly execute any SQL statement.  
  
  
3. VULNERABILITY DESCRIPTION  
  
Some URLs in phpMyAdmin do not properly escape user inputs that lead  
to cross site scripting vulnerability.  
For more information about this kind of vulnerability, see OWASP Top  
10 - A2, WASC-8 and  
CWE-79: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting').  
  
  
4. VERSIONS AFFECTED  
  
phpMyAdmin 3.3.5 and lower  
phpMyAdmin 2.11.10 and lower  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg  
  
And full list of URLs (of both <probably> unexploitable/exploitable)  
that fail to html escape user inputs:  
  
UR: http://target/phpmyadmin/db_search.php  
Affected Parameter(s): field_str  
  
URL: http://target/phpmyadmin/db_sql.php  
Affected Parameter(s): QUERY_STRING, delimiter  
  
URL: http://target/phpmyadmin/db_structure.php  
Affected Parameter(s): sort  
  
URL: http://target/phpmyadmin/js/messages.php  
Affected Parameter(s): db  
  
URL: http://target/phpmyadmin/server_databases.php  
Affected Parameter(s): sort_by  
  
URL: http://target/phpmyadmin/server_privileges.php  
Affected Parameter(s): QUERY_STRING, checkprivs, dbname,  
pred_tablename, selected_usr[], tablename , username  
  
URL: http://target/phpmyadmin/setup/config.php  
Affected Parameter(s): DefaultLang  
  
URL: http://target/phpmyadmin/sql.php  
Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows  
  
URL: http://target/phpmyadmin/tbl_replace.php  
Affected (Dynamic) Parameter(s):  
fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],  
fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]  
  
  
6. IMPACT  
  
Attackers can compromise currently logged-in user session and inject  
arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)  
via crafted XSS payloads.  
  
  
7. SOLUTION  
  
Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1  
  
  
8. VENDOR  
  
phpMyAdmin (http://www.phpmyadmin.net)  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
08-09-2010: vulnerability discovered  
08-10-2010: notified vendor  
08-20-2010: vendor released fix  
08-20-2010: vulnerability disclosed  
  
  
11. REFERENCES  
  
Vendor Advisory URL:  
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)  
Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php  
XSS FAQ: http://www.cgisecurity.com/xss-faq.html  
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
  
  
#yehg [08-20-2010]  
  
  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Aug 2010 00:00Current
7.4High risk
Vulners AI Score7.4
phpmyadmincross site scriptingsql injectionuser sessionvulnerabilityvendorowaspcwe-79upgrade
40