VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 26, 2006· Updated Apr 16, 2026

CVE-2006-2031

CVE-2006-2031

Description

Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev are vulnerable to reflected XSS via the lang parameter in index.php.

Vulnerability

phpMyAdmin versions 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev contain a cross-site scripting (XSS) vulnerability in index.php. The lang parameter is not properly sanitized, allowing an attacker to inject arbitrary web script or HTML. The vulnerability is also present for the theme and db parameters in versions before 2.8.0.4, with some releases as early as 2.6.2 tested vulnerable [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the lang parameter. No authentication is required; the attacker only needs to convince a victim to visit the crafted URL. For instance, a URL like http://target/phpmyadmin/index.php?lang= would execute the injected script in the victim's browser within the context of the phpMyAdmin site [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to potential information disclosure, session hijacking, or defacement. The attack is reflected and does not persist on the server, but the attacker can steal session cookies or perform actions on behalf of the victim if the victim has an active phpMyAdmin session [1][2].

Mitigation

The vulnerability is fixed in phpMyAdmin version 2.8.0.4. Users should upgrade to this version immediately. No workarounds are documented in the references. The issue is tracked as PMASA-2006-2 and assigned CVE-2006-2031 [2].

References
  1. About Secunia Research | Flexera
  2. PMASA-2006-2

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • PhpMyAdmin/phpMyAdmin5 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.2:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1_dev:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_dev:*:*:*:*:*:*:*
    • (no CPE)range: 2.8.0.3, 2.8.0.2, 2.8.1-dev, 2.9.0-dev
  • osv-coords
    pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    Range: < 5.1.1-1.2

Patches

1
fad722d2f488

Escape user input (CVE-2006-2031).

https://github.com/phpmyadmin/phpmyadminMichal ČihařMay 2, 2006via github-commit-search
commit
3 files changed · +13 9
  • ChangeLog+4 0 modified
    @@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$
 
+2006-05-02 Michal Čihař  <michal@cihar.com>
+    * libraries/select_lang.lib.php, libraries/Theme_Manager.class.php: Escape
+      user input (CVE-2006-2031).
+
 2006-04-28 Michal Čihař  <michal@cihar.com>
     * Documentation.html, main.php, libraries/config.default.php: Possibility
       to hide creating of database from main (RFE #1370100).
  • libraries/select_lang.lib.php+3 3 modified
    @@ -409,13 +409,13 @@ function PMA_langDetect(&$str, $envType)
 
 // now, that we have loaded the language strings we can send the errors
 if ($lang_failed_cfg) {
-    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, $lang_failed_cfg);
+    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, htmlspecialchars($lang_failed_cfg));
 }
 if ($lang_failed_cookie) {
-    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, $lang_failed_cookie);
+    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, htmlspecialchars($lang_failed_cookie));
 }
 if ($lang_failed_request) {
-    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, $lang_failed_request);
+    $GLOBALS['PMA_errors'][] = sprintf($strLanguageUnknown, htmlspecialchars($lang_failed_request));
 }
 
 unset($strLanguageFileNotFound, $line, $fall_back_lang,
  • libraries/Theme_Manager.class.php+6 6 modified
    @@ -101,10 +101,10 @@ function init()
 
         if ( ! $this->checkTheme($GLOBALS['cfg']['ThemeDefault'])) {
             $GLOBALS['PMA_errors'][] = sprintf( $GLOBALS['strThemeDefaultNotFound'],
-                $GLOBALS['cfg']['ThemeDefault'] );
+                htmlspecialchars($GLOBALS['cfg']['ThemeDefault']));
             trigger_error(
                 sprintf($GLOBALS['strThemeDefaultNotFound'],
-                    $GLOBALS['cfg']['ThemeDefault']),
+                    htmlspecialchars($GLOBALS['cfg']['ThemeDefault'])),
                 E_USER_WARNING);
             $GLOBALS['cfg']['ThemeDefault'] = false;
         }
@@ -141,9 +141,9 @@ function setActiveTheme($theme = null)
     {
         if ( ! $this->checkTheme($theme)) {
             $GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
-                PMA_sanitize($theme));
+                htmlspecialchars($theme));
             trigger_error(
-                sprintf($GLOBALS['strThemeNotFound'], PMA_sanitize($theme)),
+                sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
                 E_USER_WARNING);
             return false;
         }
@@ -217,10 +217,10 @@ function PMA_Theme_Manager()
         if (! is_dir($folder)) {
             $GLOBALS['PMA_errors'][] =
                 sprintf($GLOBALS['strThemePathNotFound'],
-                    $folder);
+                    htmlspecialchars($folder));
             trigger_error(
                 sprintf($GLOBALS['strThemePathNotFound'],
-                    $folder),
+                    htmlspecialchars($folder)),
                 E_USER_WARNING);
             return false;
         }

Vulnerability mechanics

Root cause

"Missing HTML escaping of user-supplied language parameter before inclusion in error messages allows cross-site scripting."

Attack vector

A remote attacker sends an HTTP request to `index.php` with a crafted `lang` parameter containing malicious JavaScript or HTML. The application fails to escape this input before embedding it in error messages displayed to the user [patch_id=1693015]. No authentication is required, and the attack is triggered simply by visiting a crafted URL.

Affected code

The vulnerability is in `libraries/select_lang.lib.php` and `libraries/Theme_Manager.class.php`. In `select_lang.lib.php`, the `$lang_failed_request` variable (which receives the `lang` parameter from HTTP requests) is passed unsanitized into `sprintf()` calls that produce error messages displayed in the browser. Similarly, `Theme_Manager.class.php` passes unsanitized theme-related user input into error messages via `sprintf()`.

What the fix does

The patch wraps user-controlled values with `htmlspecialchars()` before passing them to `sprintf()` in error messages. In `select_lang.lib.php`, the `$lang_failed_request`, `$lang_failed_cookie`, and `$lang_failed_cfg` variables are now escaped. In `Theme_Manager.class.php`, `$GLOBALS['cfg']['ThemeDefault']`, `$theme`, and `$folder` are similarly escaped. This prevents injected HTML or JavaScript from being interpreted by the browser.

Preconditions

  • networkThe attacker must be able to send HTTP requests to a phpMyAdmin instance running one of the affected versions (2.8.0.3, 2.8.0.2, 2.8.1-dev, or 2.9.0-dev).
  • authNo authentication is required; the lang parameter is processed before authentication.

Reproduction

Visit `http://target/index.php?lang=%3Cscript%3Ealert(1)%3C/script%3E` against an affected phpMyAdmin installation. If the application displays an error message containing the unescaped script tag, the vulnerability is present.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.