what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpMyAdmin 3.4.x Stored Cross Site Scripting

phpMyAdmin 3.4.x Stored Cross Site Scripting
Posted Jan 26, 2011
Authored by Aung Khant | Site yehg.net

phpMyAdmin versions 3.4.x and 3.4.0 beta 2 suffer from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 6c62a516dcba43d0e52fddd8b8bbc0b20bf6c067e550603506999902959ff3d8

phpMyAdmin 3.4.x Stored Cross Site Scripting

Change Mirror Download
===================================================================================
phpMyAdmin 3.4.x, 3.4.0 beta 2 <= Stored Cross Site Scripting (XSS)
Vulnerability
===================================================================================


1. OVERVIEW

The phpMyAdmin web application 3.4.0 beta 2 and lower versions of
3.4.x were vulnerable to Cross Site Scripting.


2. PRODUCT DESCRIPTION

phpMyAdmin is a free software tool written in PHP intended to handle
the administration of MySQL over the World Wide Web.
phpMyAdmin supports a wide range of operations with MySQL.
The most frequently used operations are supported by the user
interface (managing databases, tables, fields, relations,
indexes, users, permissions, etc), while you still have the ability to
directly execute any SQL statement.


3. VULNERABILITY DESCRIPTION

The 'db' parameter in phpMyAdmin was not sanitized and an attacker can
inject XSS string in 'db' field when creating or renaming a database.
An attacker can create new database name or rename database name
through several means like SQL Injection in user's vulnerable web
applications or
compromise of user account through brute-force or bypassing CSRF protection.
Even though the phpMyAdmin uses httpOnly as a protection against
cookie theft via XSS, attacker could use XSS tunneling proxy to
manipulate database names and fields. From it, he could execute
arbitrary database commands to allow him higher access to the server.


4. VERSIONS AFFECTED

phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x

Vendor confirmed this flaw did not exist before the 3.4 version family.
Thus, it is assumed 2.x and 3.3 <= versions are not affected.


5. PROOF-OF-CONCEPT/EXPLOIT

http://demo.phpmyadmin.net/trunk-config/index.php?db=%27%22--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.4.0-b2-xss.jpg


6. IMPACT

Attackers can compromise currently logged-in user session, plant xss
backdoors and inject arbitrary SQL statements
(CREATE,INSERT,UPDATE,DELETE)
via crafted XSS payloads.


7. SOLUTION

For those who're using version phpMyAdmin 3.4.0 beta 2 and lower,
check out the latest commit (git pull).


8. VENDOR

phpMyAdmin (http://www.phpmyadmin.net)


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2011-01-26: notified vendor
2011-01-26: vendor released fix
2011-01-27: vulnerability disclosed


11. REFERENCES

Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.4.0-beta2]_cross_site_scripting(XSS)
CWE-79: http://cwe.mitre.org/data/definitions/79.html
Previous Releases:
http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2008-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php



#yehg [2011-01-27]


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close