Bringing MySQL to the web

PMASA-2011-14

Announcement-ID: PMASA-2011-14

Date: 2011-09-14

Summary

Multiple XSS.

Description

Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities.

Severity

We consider these vulnerabilities to be serious.

Mitigation factor

An attacker must be logged in via phpMyAdmin to exploit this problem.

Affected Versions

Versions 3.4.0 to 3.4.4 were found vulnerable.

Solution

Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below.

References

The first issue was found by Brad Bernard (iunfollow.com). The second issue was found by Nils Juenemann (https://twitter.com/#!/totally_unknown.)

CWE ids: CWE-661 CWE-98

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.