The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability CVE-2007-5386

phpMyAdmin: Cross Site Scripting of setup.php

Synthesis of the vulnerability

An attacker can use parameters of setup.php script in order to inject HTML code in phpMyAdmin.
Impacted products: Debian, Fedora, phpMyAdmin.
Severity of this bulletin: 2/4.
Consequences of an intrusion: client access/rights.
Hacker's origin: document.
Creation date: 11/10/2007.
Références of this threat: 071009a, BID-26020, CVE-2007-5386, DSA-1403-1, FEDORA-2007-2738, FEDORA-2007-3639, MDKSA-2007:199, PMASA-2007-5, VIGILANCE-VUL-7245.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The setup.php script configures the environment. This script does not filter parameters its receives. An attacker can therefore use it to inject Javascript code.

This vulnerability therefore permits an attacker to conduct a Cross Site Scripting attack, when victim is authenticated on phpMyAdmin.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability alerts. The technology watch team tracks security threats targeting the computer system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.