PhpMyAdmin 'url.php' Cross Site Scripting Vulnerability - Dec14 Network Vulnerability

Summary

This host is installed with phpMyAdmin and is prone to cross-site scripting(XSS) vulnerability.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to phpMyAdmin 4.2.13.1 or later. For updates refer to http://www.phpmyadmin.net

Insight

Input passed via the 'url' parameter to url.php script is not validated before returning it to users.

Affected

phpMyAdmin 4.2.x versions before 4.2.13.1

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://blog.elevenpaths.com/2014/12/phpmyadmin-fixes-xss-detected-by.html?m=1
http://osvdb.org/115323
http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php
http://xforce.iss.net/xforce/xfdb/99137

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9219

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

AdaptCMS 'init.php' Remote File Include Vulnerability
Apache Tomcat SecurityConstraints Security Bypass Vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
Apple Safari Multiple Vulnerabilities
Apache Web Server ETag Header Information Disclosure Weakness

phpMyAdmin 'url.php' Cross Site Scripting Vulnerability - Dec14

Take action and discover your vulnerabilities