phpMyAdmin Cross-site Scripting Vulnerability

[Oriol Torrent Santiago <oriol.torrent () gmail com>]

==========================================================
Title: phpMyAdmin Cross-site Scripting Vulnerability

Application: phpMyAdmin
Vendor: http://www.phpmyadmin.net
Vulnerable Versions: <=2.6.2-beta1
Corrected: phpMyAdmin versions after 2.6.2-beta1
Bug: Cross-site Scripting
Date: 3-Apr-2005
Author: Oriol Torrent Santiago < oriol.torrent () gmail com >

References:
http://www.arrelnet.com/advisories/adv20050403.html
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3

==========================================================

1) Background
  -----------
phpMyAdmin is a tool written in PHP intended to handle the administration
of MySQL over the Web. Currently it can create  and drop databases,
create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
manage keys on fields,  manage privileges,export data into various formats
and is available in 47 languages.

2) Problem description
  --------------------

phpMyAdmin <=2.6.2-beta1 contain a vulnerability is caused due to
missing validation of input supplied to "convcharset" variable.

This can be exploited to execute arbitrary HTML and script code(JavaScript,
VBScript,etc.) in a user's browser session in context of a vulnerable site.
It allows an attacker to use the vulnerability to compromise the phpMyAdmin
account, cookie theft, etc.

Ex1:
http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\";><script>alert(document.cookie)</script>

Ex2:
http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\";><h1>XSS</h1>

3) Solution:
  ---------

Vendor was contacted on the 29th of March 2005 and new version is released

Download the latest version of phpMyAdmin

4) Timeline
  --------

29/03/2005  Bug discovered
29/03/2005  Vendor notified
29/03/2005  Vendor response and bug fixed
03/04/2005  New version released
03/04/2005  Advisory released