PhpMyAdmin Setup '$host' Variable Cross Site Scripting Vulnerability Network Vulnerability

Summary

The host is running phpMyAdmin and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to phpMyAdmin version 3.4.9 or later, For updates refer to http://www.phpmyadmin.net/home_page/downloads.php

Insight

The flaw is due to improper validation of user-supplied input via the '$host' variable within the setup, which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Affected

phpMyAdmin versions 3.4.x before 3.4.9

References

http://packetstormsecurity.org/files/108110/TWSL2011-019.txt
http://secunia.com/advisories/47338
http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4780, CVE-2011-4782

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Web Server ETag Header Information Disclosure Weakness
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
Apple Safari Multiple Vulnerabilities
Apache Tomcat Directory Listing and File disclosure

phpMyAdmin Setup '$host' Variable Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities