-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: phpMyAdmin - error.php XSS Vulnerability
Release Date: 2006/11/02 Last Modified: 2006/11/02 Author: Stefan Esser [email@example.com]
Application: phpMyAdmin <= 126.96.36.199 Severity: XSS vulnerability in an error displaying script Risk: Medium Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_122006.137.html
Quote from http://www.phpmyadmin.net "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in 50 languages."
It was discovered that phpMyAdmin comes with a script to display error messages that supports displaying the error in a user supplied charset. Unfortunately the encoding of the error message is not taking the charset into account which can result into XSS when UTF-7 is selected. (Other charsets like US-ASCII can also be used to exploit this in some browsers.)
To trigger this XSS vulnerability an attacker just needs to call the error displaying script with charset=utf-7 and utf-7 encoded HTML tags in the error message.
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for this vulnerability to the public.
It is strongly recommended to upgrade to the newest version of phpMyAdmin 188.8.131.52 which you can download at:
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFSbPtRDkUzAqGSqERAkcTAJ49t9pfmuBAyvk0UcHuhZe/6cu48gCgp3ea HoIvssTE/gfvQyAY3BcOhwQ= =70mU -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/