Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
png
readme.md

readme.md

PHPMyWind has Reflected Cross-Site Scripting Vulnerability Description


Testing Target

Abstract

An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability.

Concept

  1. We download the latest version from the official website and build default environment.

  2. In the set steps, we can use BurpSuite to bypass the username check mechanism and insert XSS payload as the admin username.

  3. Now go back to admin login pages, same using BurpSuite change username to login.

  4. That's a great result.

You can’t perform that action at this time.