phpMyAdmin 3.4.x Stored Cross Site Scripting

`===================================================================================  
phpMyAdmin 3.4.x, 3.4.0 beta 2 <= Stored Cross Site Scripting (XSS)  
Vulnerability  
===================================================================================  
  
  
1. OVERVIEW  
  
The phpMyAdmin web application 3.4.0 beta 2 and lower versions of  
3.4.x were vulnerable to Cross Site Scripting.  
  
  
2. PRODUCT DESCRIPTION  
  
phpMyAdmin is a free software tool written in PHP intended to handle  
the administration of MySQL over the World Wide Web.  
phpMyAdmin supports a wide range of operations with MySQL.  
The most frequently used operations are supported by the user  
interface (managing databases, tables, fields, relations,  
indexes, users, permissions, etc), while you still have the ability to  
directly execute any SQL statement.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The 'db' parameter in phpMyAdmin was not sanitized and an attacker can  
inject XSS string in 'db' field when creating or renaming a database.  
An attacker can create new database name or rename database name  
through several means like SQL Injection in user's vulnerable web  
applications or  
compromise of user account through brute-force or bypassing CSRF protection.  
Even though the phpMyAdmin uses httpOnly as a protection against  
cookie theft via XSS, attacker could use XSS tunneling proxy to  
manipulate database names and fields. From it, he could execute  
arbitrary database commands to allow him higher access to the server.  
  
  
4. VERSIONS AFFECTED  
  
phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x  
  
Vendor confirmed this flaw did not exist before the 3.4 version family.  
Thus, it is assumed 2.x and 3.3 <= versions are not affected.  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://demo.phpmyadmin.net/trunk-config/index.php?db=%27%22--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.4.0-b2-xss.jpg  
  
  
6. IMPACT  
  
Attackers can compromise currently logged-in user session, plant xss  
backdoors and inject arbitrary SQL statements  
(CREATE,INSERT,UPDATE,DELETE)  
via crafted XSS payloads.  
  
  
7. SOLUTION  
  
For those who're using version phpMyAdmin 3.4.0 beta 2 and lower,  
check out the latest commit (git pull).  
  
  
8. VENDOR  
  
phpMyAdmin (http://www.phpmyadmin.net)  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
2011-01-26: notified vendor  
2011-01-26: vendor released fix  
2011-01-27: vulnerability disclosed  
  
  
11. REFERENCES  
  
Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.4.0-beta2]_cross_site_scripting(XSS)  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
Previous Releases:  
http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php  
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php  
http://www.phpmyadmin.net/home_page/security/PMASA-2008-5.php  
http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php  
  
  
  
#yehg [2011-01-27]  
  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
  
`