xss in phpmyadmin >=2.8.0 and < 2.10.0

Credit: alfa
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

This xss (with xsrf possibility) works only when logged in, but since in many places anonymous logins are allowed and many webhost companies offer just 1 or few phpmyadmins for a large number of users, i consider it worth to be published. Theoretically it is possible to obtain and use the cookie and token variables (which are necessary to get this XSS working) but i haven't made a working poc atm, but i'm sure others will have the capability to do so. The problem is bad filtering of $db and $table where they only check for (lowercase) </script>-tag and not for the (uppercase)</SCRIPT>-tag to break out of the javascript. More details can be found in an advisory found here: http://www.virtuax.be/advisories/Advisory2-24012007.txt possible attack strings could look like: http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS] http://phpmyadmin.example.com/index.php?token=$token&db/table=</SCRIPT>< /head><body>[HTML] in each case if you're running phpmyadmin <= 2.9 it's wise to update, stefan esser has even used phpmyadmin as an example in one of the bugs he found and reported in (his) mopb over a week ago( http://www.php-security.org/MOPB/MOPB-02-2007.html and http://www.phpmyadmin.net/)

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top