PhpMyAdmin version 3.5.7 vulnerable to Cross Site Scripting

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. phpMyAdmin 3.5.0 to 3.5.7 versions are vulnerable to Reflected XSS in "tbl_gis_visualization.php", as mentioned in advisory. The reason for XSS is stated as insufficient sanitization of html output. Parameters vulnerable are "visualizationSettings[width]" and "visualizationSettings[height]" on "tbl_gis_visualization.php" .But there should be a valid session and valid database name for exploiting the vulnerability. Publically available exploitation details make javascript alert box to pop up, confirming the existence of Reflected XSS. The new updated version 3.5.8 is available on official website.

Posted in: hacking news