SpiderLabs Blog

TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin

Written by Robert Foggia | Dec 23, 2011 8:10:00 AM

The Spiderlabs team at Trustwave published a new advisory for a Cross-Side-Scripting (XSS) found in phpMyAdmin 3.4.8 and previous versions. phpMyAdmin is an open source tool developed in PHP to manage and administer MySQL databases remotely.

The vulnerability was discovered by Jason Leyrer who is a member of the Trustwave SpiderLabs Research team. Jason discovered that the 'Servers-0-host' input field in the phpMyAdmin setup interface was unsanitized and an attacker could potentially store malicious javascript into the config file (persistent XSS) when the directory is writeable. phpMyAdmin has confirmed Jason's findings and the organization has released phpMyAdmin 3.4.9 to address this vulnerability. phpMyAdmin advisory can viewed by visiting:

http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php