[This was originally published on attrition.org. This is a rebuttal piece to phpMyAdmin XSS – A Quick Commentary (2010-08-30) by @wh1t3rabbit (Rafal Los).]
Wake up phpMyAdmin users – if you haven’t updated to the latest version yet… what are you waiting for? Haven’t you seen the advisory the YEHG released? Advisory, complete with some interesting screen shots here.
On 8/20/2010 the PHPMyAdmin folks released an advisory and patches… one you should take note of for a few reasons. First off – having a Cross-Site Scripting (XSS) attack in your admin console for your system from a web-based console is usually a red light anyway – but one in a package as popular as phpMyAdmin … well you can do your own math.
What does the math say about the 80+ XSS vulnerabilities in HP’s products, many in admin/management consoles? Glass houses, throwing stones, and white rabbits yet again.
Just something I thought you all should be aware of, since at last count Google says there are around 2MM results for the phpMyAdmin query string …yikes. I hope they’re all patched up?
How many HP products are out there with unpatched XSS vulnerabilities? Curious why Rafal did not mention how fast phpMyAdmin patched those vulnerabilities (~ 10 days), and doesn’t consider the irony of HP not patching an XSS in one of their own admin dashboards after 1,000 days. Worse, still no indication it has been patched after close to 2,000 days.