phpMyAdmin 3.4.x, 3.4.0 beta 2 <= Stored Cross Site Scripting (XSS)
The phpMyAdmin web application 3.4.0 beta 2 and lower versions of
3.4.x were vulnerable to Cross Site Scripting.
2. PRODUCT DESCRIPTION
phpMyAdmin is a free software tool written in PHP intended to handle
the administration of MySQL over the World Wide Web.
phpMyAdmin supports a wide range of operations with MySQL.
The most frequently used operations are supported by the user
interface (managing databases, tables, fields, relations,
indexes, users, permissions, etc), while you still have the ability to
directly execute any SQL statement.
3. VULNERABILITY DESCRIPTION
The ‘db’ parameter in phpMyAdmin was not sanitized and an attacker can
inject XSS string in ‘db’ field when creating or renaming a database.
An attacker can create new database name or rename database name
through several means like SQL Injection in user’s vulnerable web
compromise of user account through brute-force or bypassing CSRF protection.
Even though the phpMyAdmin uses httpOnly as a protection against
cookie theft via XSS, attacker could use XSS tunneling proxy to
manipulate database names and fields. From it, he could execute
arbitrary database commands to allow him higher access to the server.
4. VERSIONS AFFECTED
phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x
Vendor confirmed this flaw did not exist before the 3.4 version family.
Thus, it is assumed 2.x and 3.3 <= versions are not affected.
Attackers can compromise currently logged-in user session, plant xss
backdoors and inject arbitrary SQL statements
via crafted XSS payloads.
For those who’re using version phpMyAdmin 3.4.0 beta 2 and lower,
check out the latest commit (git pull).
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-01-26: notified vendor
2011-01-26: vendor released fix
2011-01-27: vulnerability disclosed
Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a
Original Advisory URL:
YGN Ethical Hacker Group
Full-Disclosure – We believe in it.
Hosted and sponsored by Secunia – http://secunia.com/
Original post: http://www1.vul.kr/phpmyadmin-3-4-x-3-4-0-beta-2