|CERT-In Vulnerability Note
PhpMyAdmin Local file inclusion and Cross site scripting vulnerabilities
Original Issue Date:November 08, 2005
Severity Rating: HIGH
2.6.4-pl2 and prior
Two vulnerabilities reported in phpMyAdmin which could be exploited by remote attackers to conduct cross-site scripting attacks or disclose sensitive information.
PhpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. The first vulnerability is due to improper validation of input passed to certain configuration parameters in some scripts of phpMyAdmin. This could be exploited to include arbitrary files from local resources.
The second issue is due to errors in scripts left.php, queryframe.php and server_database.php which do not properly validate specially crafted parameters. Successful exploitation allows an attacker to execute arbitrary scripted content in a users web browser in the context of the site running phpMyAdmin.
Update to version 2.6.4-pl3 or later.
Secunia Advisory SA 17289
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003