Reflected XSS Vulnerability Found in phpMyBackupPro (Version 2.3)

A critical reflected cross-site scripting (XSS) vulnerability has been discovered in phpMyBackupPro, a widely-used open-source MySQL backup tool. The flaw affects the web interface and can allow attackers to inject malicious scripts through unsanitized GET parameters.

Vulnerability Overview

The vulnerability is classified as a reflected XSS, which can be triggered by a crafted URL containing malicious JavaScript code. Affected scripts include index.php and config.php, where user input is reflected into the page output without proper sanitization. This can lead to session hijacking, phishing attacks, or other malicious actions if a logged-in administrator clicks the malicious link.

Affected Versions

• Confirmed: phpMyBackupPro v2.3 (latest as of 2015-06-18)
• Likely: All earlier versions

Proof of Concept (PoC)

https://example.com/phpmybackuppro/index.php?message=<script>alert(1)</script>

Recommended Mitigation

Developers are advised to sanitize all user-controlled input using secure output encoding methods such as htmlspecialchars() in PHP. Avoid echoing raw $_GET or $_POST data directly into HTML output. Implementing input validation and content security policies (CSP) is also recommended.

CVE Assignment

A CVE (Common Vulnerabilities and Exposures) identifier has been requested for this issue to support coordinated public tracking and awareness.