Hi On Tue, 16 Oct 2007 08:24:57 +0200 Thijs Kinkhorst <[EMAIL PROTECTED]> wrote:
> tags 446451 moreinfo
> thanks
>
> Hi Steffen,
>
> On Saturday 13 October 2007 07:26, Steffen Joeris wrote:
> > Cross-site scripting (XSS) vulnerability in scripts/setup.php
> > in phpMyAdmin 2.11.1, when accessed by a browser that does
> > not URL-encode requests, allows remote attackers to inject
> > arbitrary web script or HTML via the query string. NOTE: some
> > of these details are obtained from third party information.
>
> I've seen this fix in upstream SVN but couldn't think of a case where this is
> exploitable by anyone than the user himself. I will look into it but I'm not
> sure that this is a grave issue. A concrete exploit scenario is welcome.
And it looks to be exploitable only with MSIE with disabled UTF-8 urls.
BTW: There will be yet another XSS fixed soon (already fixed in SVN,
release will probably happen today), so you should probably wait with
uploading new version :-).
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature
