vulnerability note CVE-2009-2284

phpMyAdmin: Cross Site Scripting of bookmark

Synthesis of the vulnerability

An attacker can use the bookmark feature to generate a Cross Site Scripting in phpMyAdmin.

Severity: 2/4. Creation date: 02/07/2009.

Description of the vulnerability

The phpMyAdmin server is used to administer a MySQL database via a web browser. The "bookmark" feature memorizes SQL queries which are frequently used. The PMA_formatSql() function of the libraries/common.lib.php file formats a SQL query, to display it in text or HTML. However, special characters contained in the query are not filtered before being displayed. An attacker can therefore use the bookmark feature to generate a Cross Site Scripting in phpMyAdmin.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: phpMyAdmin: Cross Site Scripting of bookmark. Keywords: Cross HTML MySQL PMA_formatSql SQL Scripting Site bookmark phpMyAdmin. Identifiers: BID-35543, CVE-2009-2284, FEDORA-2009-7329, FEDORA-2009-7337, FEDORA-2009-7340, MDVSA-2009:192, PMASA-2009-5, VIGILANCE-VUL-8834.

Information sources

Publications and announces Source example: It was possible to conduct an XSS attack via a crafted SQL bookmark.

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerabilities tracking service