Уязвимости в phpMyAdmin до 2.6.0-pl3
Были найдены XSS уязвимости
The logic used to auto-detect the PmaAbsoluteUri parameter can be fooled by adding an extra "/" and a crafted URL.
read_dump.php can be called with a crafted url; using the fact that the zero_rows variable is not sanitized can lead to an attack.
The confirm form (for example after a DROP DATABASE statement) can be used for a XSS attack.
The internal phpMyAdmin parser does not sanitize the error message sent after an error like a punctuation problem.
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3
Были найдены XSS уязвимости
The logic used to auto-detect the PmaAbsoluteUri parameter can be fooled by adding an extra "/" and a crafted URL.
read_dump.php can be called with a crafted url; using the fact that the zero_rows variable is not sanitized can lead to an attack.
The confirm form (for example after a DROP DATABASE statement) can be used for a XSS attack.
The internal phpMyAdmin parser does not sanitize the error message sent after an error like a punctuation problem.
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3