Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin

The Spiderlabs team at Trustwave published a new advisory for a Cross-Side-Scripting (XSS) found in phpMyAdmin 3.4.8 and previous versions. phpMyAdmin is an open source tool developed in PHP to manage and administer MySQL databases remotely.

The vulnerability was discovered by Jason Leyrer who is a member of the Trustwave SpiderLabs Research team. Jason discovered that the 'Servers-0-host' input field in the phpMyAdmin setup interface was unsanitized and an attacker could potentially store malicious javascript into the config file (persistent XSS) when the directory is writeable. phpMyAdmin has confirmed Jason's findings and the organization has released phpMyAdmin 3.4.9 to address this vulnerability. phpMyAdmin advisory can viewed by visiting: