Friday, April 12, 2013

phpMyAdmin XSS


For those who don't know phpMyAdmin, is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement.

When using it on a client I found out that, under versions 3.5.3, 3.5.4  and 3.5.5, it was possible to inject a self-XSS.

The vulnerability is under "Query results operations" - "Display Chart" and "Title" field. When writing the title with a XSS vector the code is automatically executed.

Proof of concept:
Chart title"><script>alert("xss by @dsopas")


This bug was fixed (version 3.5.6) but per their policy for self-XSS, they decided against a
security release.
The commit is https://github.com/phpmyadmin/phpmyadmin/commit/d30aaae.

Timeline:
10 Jan 2013: Reported to phpMyAdmin security team
10 Jan 2013: They replied and told me that they're investigating
15 Mar 2013: I asked for update - reported that it is already been fixed since January
12 Apr 2013: Full disclosure

No comments:

Post a Comment