Announcement-ID: PMASA-2008-6
Date: 2008-07-28
Cross-site Framing; XSS in setup.php
We received two advisories from Aung Khant (YGN Ethical Hacker Group), and we wish to thank him for his work. It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in config.inc.php to allow this behavior. Also, XSS was possible for someone who could overwrite config/config.inc.php during the time this file is present in this directory.
We consider these vulnerabilities to be serious. See YGN's advisories for some mitigation factors.
Versions before 2.11.8.
Upgrade to phpMyAdmin 2.11.8 or newer.
These advisories are available from the reporter:
http://yehg.net/lab/pr0js/advisories/Cross-Site_Framing_inphpMyAdmin2.11.7.pdf
http://yehg.net/lab/pr0js/advisories/XSS_inPhpMyAdmin2.11.7.pdf
Assigned CVE ids: CVE-2008-3457
The following commits have been made to fix this issue:
The following commits have been made on the 2.11 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.