Multiple Cross-Site Scripting Vulnerabilities in phpMyAdmin versions earlier than 3.4.8

Release date: 2011-12-16
Updated on: 2011-12-19

Affected Systems:
PhpMyAdmin 3.4.x
Unaffected system:
PhpMyAdmin 3.4.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51099
Cve id: CVE-2011-4634

PhpMyAdmin is written in PHP and can be used to control and operate MySQL databases on the web.

Multiple cross-site scripting vulnerabilities exist in phpMyAdmin versions earlier than 3.4.8. Remote attackers can exploit these vulnerabilities to execute arbitrary script code in the user browsers of the affected sites and steal Cookie authentication creden.

Using a special database name may execute XSS in the Database Synchronization and database rename panel. Invalid and special SQL queries are used. XSS is executed when you edit a query on the Table Overview panel or when you use the create view dialog box. If you use a special column type, you may execute XSS In the table search or index creation dialog box.

<* Source: David Vieira-Kurz

Link: https://bugzilla.redhat.com/show_bug.cgi? Id = 767666
Http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PhpMyAdmin
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.phpmyadmin.net/home_page/security/