phpMyAdmin Bringing MySQL to the web

PMASA-2007-6

Announcement-ID: PMASA-2007-6

Date: 2007-10-17

Updated: 2007-10-24 (CVE reference)

Summary

XSS vulnerabilities

Description

We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on server_status.php.

Our team fixed also other possible XSS vulnerabilities regarding PHP_SELF, PATH_INFO, REQUEST_URI.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

Probably all versions before 2.11.1.2.

Solution

Upgrade to phpMyAdmin 2.11.1.2 or newer.

References

http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html

Assigned CVE ids: CVE-2007-5589

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

• c32d999eb16a9e2748a834e3ad722cc4d33f7dd5

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.