phpMyAdmin Cross-site Scripting Vulnerability
==========================================================
Title: phpMyAdmin Cross-site Scripting Vulnerability
Application: phpMyAdmin
Vendor: http://www.phpmyadmin.net
Vulnerable Versions: <=2.6.2-beta1
Corrected: phpMyAdmin versions after 2.6.2-beta1
Bug: Cross-site Scripting
Date: 3-Apr-2005
Author: Oriol Torrent Santiago < oriol.torrent@xxxxxxxxx >
References:
http://www.arrelnet.com/advisories/adv20050403.html
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3
==========================================================
1) Background
-----------
phpMyAdmin is a tool written in PHP intended to handle the administration
of MySQL over the Web. Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
manage keys on fields, manage privileges,export data into various formats
and is available in 47 languages.
2) Problem description
--------------------
phpMyAdmin <=2.6.2-beta1 contain a vulnerability is caused due to
missing validation of input supplied to "convcharset" variable.
This can be exploited to execute arbitrary HTML and script code(JavaScript,
VBScript,etc.) in a user's browser session in context of a vulnerable site.
It allows an attacker to use the vulnerability to compromise the phpMyAdmin
account, cookie theft, etc.
Ex1:
http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><script>alert(document.cookie)</script>
Ex2:
http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1>
3) Solution:
---------
Vendor was contacted on the 29th of March 2005 and new version is released
Download the latest version of phpMyAdmin
4) Timeline
--------
29/03/2005 Bug discovered
29/03/2005 Vendor notified
29/03/2005 Vendor response and bug fixed
03/04/2005 New version released
03/04/2005 Advisory released