PT-2007-1222 · Phpmyadmin · Phpmyadmin

Laurent Gaffié

Publicado

2007-01-19

Atualizado

2017-07-29

CVE-2006-6942

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: PhpMyAdmin versions prior to 2.9.1.1

Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary HTML or web script via several parameters and files, including:

a comment for a table name,
the db parameter to "db create.php",
the newname parameter to "db operations.php",
the query history latest, query history latest db, and querydisplay tab parameters to "querywindow.php",
the pos parameter to "sql.php". No information is provided about the estimated number of potentially affected devices or real-world incidents.

Recommendations: For versions prior to 2.9.1.1, update to version 2.9.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "db operations.php", "db create.php", "querywindow.php", and "sql.php", until a patch is applied. Avoid using the vulnerable parameters, such as db, newname, query history latest, query history latest db, querydisplay tab, and pos, in the affected files until the issue is resolved.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2006-6942

DSA-1370-1

DSA-1370-2

Produtos afetados

Phpmyadmin

PT-2007-1222 · Phpmyadmin · Phpmyadmin

CVE-2006-6942

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 16