PhpMyAdmin view_create.php Cross-Site Scripting Vulnerability

Release date: 2013-07-04
Updated on:

Affected Systems:
PhpMyAdmin <= 4.0.3
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2013-3742

Phpmyadmin is an online management tool for MySQL databases. Its main functions include creating data tables online, running SQL statements, searching and querying data, and importing and exporting data.

PhpMyAdmin 4. view_create.php earlier than Version x has a cross-site scripting vulnerability, which allows authenticated remote attackers to pass invalid SQL CREATE VIEW statements. The statement name is specially crafted to trigger error messages, attackers can exploit this vulnerability to inject arbitrary Web scripts or HTML files.

<* Source: Maxim Rupp

Link: http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PhpMyAdmin
----------
PhpMyAdmin has released a Security Bulletin (PMASA-2013-6.php) and corresponding patches for this:
PMASA-2013-6.php: PMASA-2013-6
Link: http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php

Patch download: https://github.com/phpmyadmin/phpmyadmin/commit/9b3551601ce714adb5e3f428476052f0ec6093bf