BID:52857

phpMyAdmin Database Name Cross Site Scripting Vulnerability

Info

phpMyAdmin Database Name Cross Site Scripting Vulnerability

Bugtraq ID:	52857
Class:	Input Validation Error
CVE:	CVE-2012-1190
Remote:	Yes
Local:	No
Published:	Feb 18 2012 12:00AM
Updated:	May 07 2015 05:13PM
Credit:	Jakub Galczyk
Vulnerable:	phpMyAdmin phpMyAdmin 3.4.10 phpMyAdmin phpMyAdmin 3.4.9 phpMyAdmin phpMyAdmin 3.4.8 phpMyAdmin phpMyAdmin 3.4.6 phpMyAdmin phpMyAdmin 3.4.5 phpMyAdmin phpMyAdmin 3.4.3 phpMyAdmin phpMyAdmin 3.3.8 phpMyAdmin phpMyAdmin 3.3.7 phpMyAdmin phpMyAdmin 3.3.6 phpMyAdmin phpMyAdmin 3.3.5 phpMyAdmin phpMyAdmin 3.3.3 0 phpMyAdmin phpMyAdmin 3.4.4 phpMyAdmin phpMyAdmin 3.4.3.2 phpMyAdmin phpMyAdmin 3.4.3.1 phpMyAdmin phpMyAdmin 3.4.1 phpMyAdmin phpMyAdmin 3.4.0 phpMyAdmin phpMyAdmin 3.3.9.2 phpMyAdmin phpMyAdmin 3.3.8.1 phpMyAdmin phpMyAdmin 3.3.6 phpMyAdmin phpMyAdmin 3.3.5.1 phpMyAdmin phpMyAdmin 3.3.5.0 phpMyAdmin phpMyAdmin 3.3.4.0 phpMyAdmin phpMyAdmin 3.3.2.0 phpMyAdmin phpMyAdmin 3.3.10.4 phpMyAdmin phpMyAdmin 3.3.10.3 phpMyAdmin phpMyAdmin 3.3.10.2 phpMyAdmin phpMyAdmin 3.3.10.1 phpMyAdmin phpMyAdmin 3.3.1.0 phpMyAdmin phpMyAdmin 3.3.0.0 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5

Not Vulnerable:	phpMyAdmin phpMyAdmin 3.4.10 1

Discussion

phpMyAdmin Database Name Cross Site Scripting Vulnerability

phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

phpMyAdmin versions prior to 3.4.10.1 are vulnerable.

Exploit / POC

phpMyAdmin Database Name Cross Site Scripting Vulnerability

An attacker can exploit the issue by enticing an unsuspecting user to visit a specially crafted URL.

Solution / Fix

phpMyAdmin Database Name Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Enterprise Server 5 x86_64

Mandriva phpmyadmin-3.4.10.2-0.1mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

MandrakeSoft Enterprise Server 5

Mandriva phpmyadmin-3.4.10.2-0.1mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

References

phpMyAdmin Database Name Cross Site Scripting Vulnerability

References:

phpMyAdmin Homepage (phpMyAdmin)
PMASA-2012-1 (phpMyAdmin)