Skip to content

phpMyAdmin 3.4.x 多个HTML注入漏洞


Announcement-ID: PMASA-2012-4

Date: 2012-08-16

phpMyAdmin之前版本、 之前版本在实现上存在多个HTML注入漏洞,攻击者可利用这些漏洞注入HTML和JS代码到受影响站点,导致窃取身份验证凭证并控制站点外观。

Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages.


Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the ‘Empty the table (TRUNCATE)’ and ‘Delete the table (DROP)’ links 4) On the Triggers page of a database containing tables with a crafted name, when opening the ‘Add Trigger’ popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name.


We consider these vulnerabilities to be non critical.

Mitigation factor

These XSS can only be triggered when a table with a crafted name is already present, or if crafted data is already stored in a database table.

Affected Versions

Versions 3.4.x are affected, for issues #1 and #2. Versions 3.5.x are affected, for all issues.


Upgrade to phpMyAdmin or or newer or apply the patches listed below.


Posted in 安全通告.

Tagged with , .

No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.