Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Adminware, Control Panels :: b06-5794.htm

PhpMyAdmin all version
PhpMyAdmin all version
PhpMyAdmin all version

vendor site: 
product:PhpMyAdmin all version
bug: xss permanent & full path disclosure
global risk:high

xss post :
1) create a table , with whatever name , when it's done , go to "operation" 
(/db_operations.php) and add a comment on your table with:
( the "alert" is only to show the xss is working ...)
this is a serious security issue , because it's a permanent xss , when you get into phpmyadmin 
you will get your cookie stealed directly , without looking at the attacker_table.
variables :
token=your_token&reload=1&db=[double xss(2 followed xss)]



xss get :

Note: if there's a "token=" on this string ,it's because you need it , so replace this one with yours .

full path disclosure :

laurent gaffi=E9 & benjamin moss=E9 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH