Detections
Analytics

phpMyAdmin error.php BBcode Tag XSS (PMASA-2010-9)

medium Nessus Plugin ID 51425

Language:

Synopsis

The remote web server hosts a PHP script that is prone to a cross- site scripting attack.

Description

The version of phpMyAdmin fails to validate BBcode tags in user input to the 'error' parameter of the 'error.php' script before using it to generate dynamic HTML.

An attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site. For example, this could be used to cause a page with arbitrary text and a link to an external site to be displayed.

Solution

Upgrade to phpMyAdmin 3.4.0-beta1 or later.

See Also

https://www.phpmyadmin.net/security/PMASA-2010-9/

Plugin Details

Severity: Medium

ID: 51425

File Name: phpmyadmin_pmasa_2010_9.nasl

Version: 1.13

Type: remote

Published: 1/6/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/PHP, www/phpMyAdmin

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 12/7/2010

Vulnerability Publication Date: 12/6/2010

Reference Information

CVE: CVE-2010-4480

BID: 45633

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990