A critical reflected cross-site scripting (XSS) vulnerability has been discovered in phpMyBackupPro, a widely-used open-source MySQL backup tool. The flaw affects the web interface and can allow attackers to inject malicious scripts through unsanitized GET parameters.
The vulnerability is classified as a reflected XSS, which can be triggered by a crafted URL containing malicious JavaScript code. Affected scripts include index.php and config.php, where user input is reflected into the page output without proper sanitization. This can lead to session hijacking, phishing attacks, or other malicious actions if a logged-in administrator clicks the malicious link.
https://example.com/phpmybackuppro/index.php?message=<script>alert(1)</script>
Developers are advised to sanitize all user-controlled input using secure output encoding methods such as htmlspecialchars() in PHP. Avoid echoing raw $_GET or $_POST data directly into HTML output. Implementing input validation and content security policies (CSP) is also recommended.
A CVE (Common Vulnerabilities and Exposures) identifier has been requested for this issue to support coordinated public tracking and awareness.
Visit also the phpMyBackupPro project site for more information.
