TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin

The Spiderlabs team at Trustwave published a new advisory for a Cross-Side-Scripting (XSS) found in phpMyAdmin 3.4.8 and previous versions. phpMyAdmin is an open source tool developed in PHP to manage and administer MySQL databases remotely.

The vulnerability was discovered by Jason Leyrer who is a member of the Trustwave SpiderLabs Research team. Jason discovered that the 'Servers-0-host' input field in the phpMyAdmin setup interface was unsanitized and an attacker could potentially store malicious javascript into the config file (persistent XSS) when the directory is writeable. phpMyAdmin has confirmed Jason's findings and the organization has released phpMyAdmin 3.4.9 to address this vulnerability. phpMyAdmin advisory can viewed by visiting:

http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php

For additional information, please view the full advisory at the following address:

https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.