phpMyAdmin Print view XSS-Vulnerability

Type: persistent XSSNorman Hippert — Company: — (wildcat at the-wildcat dot de)

  • Reported: 05.07.2011
  • Published: 23.07.2011
  • Updated: 23.07.2011
  • Affected versions: <=
  • Risk: moderate
  • Solution: Update to or newer
  • CVE-ID: CVE-2011-2642


Also have a look at phpMyAdmin Direct Remote Code Execution

The table print view in phpMyAdmin is susceptible to XSS.
The tablename is not properly sanitized. This allows an attacker to execute arbitary javascript code
within site context.

The attacker needs access to the victims database and the CREATE or ALTER TABLE right.
Additionally, the attacker must trick the victim into opening the following links
Need help securing your (web) applications? Write an e-mail to wildcat at the-wildcat dot de or contact me on XING :mrgreen:

tbl_printview.php?db=database_to_attack&table=[table name as payload].

phpMyAdmin- XSS

No url token required.