phpMyAdmin

1 (in 2.6.4) XSS in cookie login - ID: 1240880

Last Update: Settings changed ( lem9 )

Details:

XSS when using somethin like this as Username:

><script>alert('Test');</script>

Submitted:

Andreas Kerber ( andkerber ) - 2005-07-19 14:18

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Marc Delisle

Category:

Security / Restrictions

Group:

2.6.3-pl1

Visibility:

Public

Date: 2005-07-21 11:55 Sender: lem9 Logged In: YES user_id=210714 fixed in cvs
Date: 2005-07-20 21:18 Sender: andkerber Logged In: YES user_id=1315163 Yes that seems to fix it, thanks.
Date: 2005-07-20 20:12 Sender: lem9 Logged In: YES user_id=210714 Ok I see it on your site. Please try this: in libraries/auth/cookie.auth.lib.php line 621 becomes: $conn_error = PMA_sanitize(PMA_DBI_getError());
Date: 2005-07-20 19:41 Sender: andkerber Logged In: YES user_id=1315163 Yes on the login page. Maybe it has something to do with the used MySQL Version (4.0.15). You can try our 2.6.3pl1 installation on http://web1.phpmyadmin.speedkom.net to verify.
Date: 2005-07-20 17:03 Sender: lem9 Logged In: YES user_id=210714 I cannot reproduce the problem. You just enter this string on the login page as the username?

Field	Old Value	Date	By
status_id	Open	2005-09-10 21:01	lem9
close_date	-	2005-09-10 21:01	lem9
resolution_id	None	2005-07-21 11:55	lem9
priority	5	2005-07-21 11:55	lem9
summary	XSS in cookie login	2005-07-21 11:55	lem9
assigned_to	nobody	2005-07-20 16:33	lem9