lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070307155346.13761.qmail@securityfocus.com>
Date: 7 Mar 2007 15:53:46 -0000
From: alfa@...tuax.be
To: bugtraq@...urityfocus.com
Subject: xss in phpmyadmin >=2.8.0 and < 2.10.0

This xss (with xsrf possibility) works only when logged in, but since in many places anonymous logins are allowed and many webhost companies offer just 1 or few phpmyadmins for a large number of users, i consider it worth to be published.

Theoretically it is possible to obtain and use the cookie and token variables (which are necessary to get this XSS working) but i haven't made a working poc atm, but i'm sure  others will have the capability to do so.

The problem is bad filtering of $db and $table where they only check for (lowercase) </script>-tag and not for the (uppercase)</SCRIPT>-tag to break out of the javascript.

More details can be found in an advisory found here:
http://www.virtuax.be/advisories/Advisory2-24012007.txt

possible attack strings could look like:
http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS]
http://phpmyadmin.example.com/index.php?token=$token&db/table=</SCRIPT></head><body>[HTML]

in each case if you're running phpmyadmin <= 2.9 it's wise to update, stefan esser has even used phpmyadmin as an example in one of the bugs he found and reported in (his) mopb over a week ago(
http://www.php-security.org/MOPB/MOPB-02-2007.html  and http://www.phpmyadmin.net/)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ