TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. |
| PLATFORM: | phpMyAdmin phpMyAdmin 3.3.0-dev, phpMyAdmin phpMyAdmin 3.2.1-dev, phpMyAdmin phpMyAdmin 3.2.0.1, phpMyAdmin phpMyAdmin 3.2.0-rc1, phpMyAdmin phpMyAdmin 2.11.10-dev |
| ABSTRACT: | An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-173.shtml |
| OTHER LINKS: |
Security Focus Website http://www.securityfocus.com/bid/35531/ PHP My Admin Website http://www.phpmyadmin.net/ |
| IMPACT ASSESSMENT: | The risk is medium. An attacker is able to run arbitrary javascript code on a user's browser with their permissions |
Discussion: phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The following versions of phpMyAdmin are affected. phpMyAdmin 3.2.0.1 phpMyAdmin 3.2.1-dev phpMyAdmin 3.3.0-dev phpMyAdmin 2.11.10-dev phpMyAdmin 3.2.0-rc1 Other versions may also be affected. Solution: Currently we are not aware of any vendor-supplied patches.
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov