CVE-2006-6942
phpMyAdmin < 2.9.1 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2006-6942. PoCs published by laurent gaffie.
AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in phpMyAdmin by injecting a malicious script into the URL, which executes arbitrary JavaScript in the context of the affected site. It targets the 'table' parameter in the 'sql.php' script to trigger the vulnerability.
Description
Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php.
Exploits (4)
This exploit demonstrates an XSS vulnerability in phpMyAdmin by injecting a malicious script into the URL, which executes arbitrary JavaScript in the context of the affected site. It targets the 'table' parameter in the 'sql.php' script to trigger the vulnerability.
The provided text describes multiple input-validation vulnerabilities in phpMyAdmin, including XSS and information disclosure. It includes a URL example demonstrating potential XSS exploitation via query parameters.
The provided text describes an XSS vulnerability in phpMyAdmin, where an attacker can inject arbitrary script code via the 'newname' parameter in the 'db_operations.php' file. This can lead to cookie theft or site rendering manipulation.
The provided text describes multiple input-validation vulnerabilities in phpMyAdmin, including XSS and information disclosure, but does not contain functional exploit code. It references a URL pattern for potential exploitation but lacks executable PoC.