Bringing MySQL to the web

PMASA-2008-4

Announcement-ID: PMASA-2008-4

Date: 2008-06-23

Summary

XSS on plausible insecure PHP installation

Description

We received an advisory from Tim Starling (Wikimedia), and we wish to thank him for his work. Some scripts in the /libraries directory were vulnerable to XSS.

Severity

We consider this vulnerability to be serious.

Mitigation factor

We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is "on" and the web server does not apply the settings contained in the .htaccess file that we placed in /libraries.

Affected Versions

Versions before 2.11.7.

Solution

Upgrade to phpMyAdmin 2.11.7 or newer.

References

Assigned CVE ids: CVE-2008-2960

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.