xss in phpmyadmin >=2.8.0 and < 2.10.0
This xss (with xsrf possibility) works only when logged in, but since in many
places anonymous logins are allowed and many webhost companies offer just 1 or
few phpmyadmins for a large number of users, i consider it worth to be
published.
Theoretically it is possible to obtain and use the cookie and token variables
(which are necessary to get this XSS working) but i haven't made a working poc
atm, but i'm sure others will have the capability to do so.
The problem is bad filtering of $db and $table where they only check for
(lowercase) </script>-tag and not for the (uppercase)</SCRIPT>-tag to break out
of the javascript.
More details can be found in an advisory found here:
http://www.virtuax.be/advisories/Advisory2-24012007.txt
possible attack strings could look like:
http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS]
http://phpmyadmin.example.com/index.php?token=$token&db/table=</SCRIPT></head><body>[HTML]
in each case if you're running phpmyadmin <= 2.9 it's wise to update, stefan
esser has even used phpmyadmin as an example in one of the bugs he found and
reported in (his) mopb over a week ago(
http://www.php-security.org/MOPB/MOPB-02-2007.html and
http://www.phpmyadmin.net/)