PT-2007-1222 · Phpmyadmin · Phpmyadmin

Laurent Gaffié

Published

2007-01-19

Updated

2017-07-29

CVE-2006-6942

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: PhpMyAdmin versions prior to 2.9.1.1

Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary HTML or web script via several parameters and files, including:

a comment for a table name,
the db parameter to "db create.php",
the newname parameter to "db operations.php",
the query history latest, query history latest db, and querydisplay tab parameters to "querywindow.php",
the pos parameter to "sql.php". No information is provided about the estimated number of potentially affected devices or real-world incidents.

Recommendations: For versions prior to 2.9.1.1, update to version 2.9.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "db operations.php", "db create.php", "querywindow.php", and "sql.php", until a patch is applied. Avoid using the vulnerable parameters, such as db, newname, query history latest, query history latest db, querydisplay tab, and pos, in the affected files until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2006-6942

DSA-1370-1

DSA-1370-2

Affected Products

Phpmyadmin

PT-2007-1222 · Phpmyadmin · Phpmyadmin

CVE-2006-6942

Weakness Enumeration

Related Identifiers

Affected Products

References · 16