Vigil@nce: phpMyAdmin, Cross Site Scripting of libraries
June 2008 by Vigil@nce
An attacker can create a Cross Site Scripting attack in phpMyAdmin.
– Gravity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 24/06/2008
– Identifier: VIGILANCE-VUL-7908
IMPACTED PRODUCTS
Unix - plateform
DESCRIPTION
The phpMyAdmin program is used to administer a MySQL database.
The /libraries directory contains several files which display
received parameters without filtering them. This vulnerability can
only be exploited when register_globals is enabled, and if the
".htaccess" file located in the /libraries directory is ignored by
Apache.
An attacker can therefore create a Cross Site Scripting attack,
when victim is authenticated on phpMyAdmin.
CHARACTERISTICS
– Identifiers: PMASA-2008-4, VIGILANCE-VUL-7908
– Url: https://vigilance.aql.fr/tree/1/7908