Bringing MySQL to the web

PMASA-2006-2

Announcement-ID: PMASA-2006-2

Date: 2006-05-12

Summary

XSS vulnerabilities

Description

1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

[1] All 2.8.0.x releases before 2.8.0.4 are affected, previous versions are not.
[2] Some releases before 2.8.0.4 are affected (2.6.2 tested vulnerable).

Solution

Upgrade to phpMyAdmin 2.8.0.4.

References

We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch.

Assigned CVE ids: CVE-2006-2031

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.